OTP and Phone Verification for Guests
OTP (One-Time Password) via SMS is used to optionally verify the guest's phone number during ordering. It links the order to a customer profile and enables SMS receipts and loyalty handling. This article explains how the flow works, what limits apply, and how you help guests who run into problems.
When is OTP used?
OTP verification is triggered in two scenarios:
- At checkout – the guest enters name + phone to link the order to a customer profile
- When redeeming loyalty points – always required before points can be used (to secure ownership)
OTP is optional for basic orders – the guest can order as an anonymous guest without a phone.
The flow step by step
- The guest enters their phone number in the chat (e.g., "070-123 45 67")
- The number is normalized to international format (+46701234567)
- Rate limits are checked (see below)
- A 6-digit code is generated server-side with 10-minute validity
- SMS is sent via ClickSend: "Your Vendion code is: 123456. Valid for 10 minutes."
- The guest enters the code in the chat
- The code is verified – if correct and not expired: verified
- Customer profile is created/matched automatically
- The session is saved in the browser
Rate limits
All limits are set to protect against SMS spam and fraud:
| Limit | Value |
|---|---|
| Per phone number – between sends | 1 per 5 minutes |
| Per phone number – per 24h | 10 per 24 hours |
| Per user | 3 per 10 minutes |
| Per fingerprint (network + browser) | 5 per 10 minutes |
| Code validity time | 10 minutes |
Cost per SMS
Each OTP SMS costs SEK 0.89 (via ClickSend). This is covered by Vendion's SMS quota for your subscription and counts toward your monthly consumption. For a typical restaurant with ~500 orders/month where 30% verify phone, the cost is about SEK 134/month.
Common problems and solutions
The guest doesn't receive the SMS
Causes:
- Wrong format on the number (e.g., 0-46 instead of +46)
- Phone number blocked for SMS (common for prepaid cards outside Sweden)
- SMS ended up in spam filter
- ClickSend provider network has issues
Action:
- Wait 5 minutes and try again
- Check that the number is Swedish (ClickSend supports +46 primarily)
- Ask the guest to check their SMS inbox and spam folder
- Fall back to ordering without OTP if possible
The guest has received too many codes today
If the guest has tried 10 times within 24 hours, further sends are blocked. Ask the guest to wait until the next day, or use a different phone number.
The code is invalid
- The code has expired (more than 10 min old)
- The code has already been used
- Incorrect code entered
Ask the guest to request a new code.
Fingerprint blocks
If the guest uses shared WiFi (e.g., the restaurant's) and multiple guests verify from the same network with the same browser, the fingerprint limit can be reached. Wait 10 minutes or ask the guest to use mobile network.
Security
- SMS provider: ClickSend sends all SMS
- Normalization: All numbers converted to international format
- Security: The code is stored encrypted on the server side, not in plain text
Privacy and GDPR
- Phone numbers are stored as customer profile only after verified code
- The guest can unregister by contacting the restaurant (supported via CRM)
- SMS messages are not saved – only send logs for debugging
- Security data is cleared after 30 days
Alternative if OTP doesn't work
If your guest can't verify via OTP, they can still complete the order as an anonymous guest. They then lose:
- SMS receipt
- Link to loyalty points
- Order history linked to profile
But the order still goes through to the kitchen and payment works as usual.
This feature is part of Vendion Online Order.
Curious how it looks in practice? Read more about the product or book a short demo.
Was this article helpful?