One-Time Passwords
Published by Andrew Pantalone on May 12, 2025
One-time passwords (OTPs) enable users to authenticate using a short-lived, single-use authentication code generated by OrderCloud. They can be thought of as temporary passwords for users who have forgotten or temporarily don't have access to their user password but who do not wish to reset their password.
Requesting a One-Time Password
To enable OneTimePasswords in a marketplace, the marketplace owner first must configure the new message sender type called OneTimePassword in order for users to receive the temporary passwords
A new endpoint,
POST v1/password/onetimepassword,allows users to request the OTPA request can be made with either Username or Email
If more than one username is associated with the provided Email, a message sender will be triggered with a unique OTP for each username
If both Email and Username are provided and the Email doesn't match the Username, no message sender will be triggered
The message generated by the OneTimePassword message sender will contain all the information necessary to authenticate, namely the API Client ID, the username, and the OTP itself
OTPs expire 10 minutes after being requested
New Resource: OneTimePasswordRequest
1{2 ClientID: "",3 Username: "",4 Email: ""5}
New Endpoints
POST v1/password/onetimepassword
Authenticating with a One-Time Password
Request a token with the password grant type, the username, and pass the one-time password as you would the user password
Note that failed authentication attempts with one-time passwords are tracked as they would be for user passwords and count towards account lockout
Once a user has successfully authenticated with an OTP, it can never be reused
1POST https://sandboxapi.ordercloud.io/oauth/token HTTP/1.12Content-Type: application/x-www-form-urlencoded;345client_id=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx&grant_type=password&username={insert-username}&password={insert-otp}&scope=Shopper
Still have questions?
Ask in our Community Channel