Skip to main content
POST
/
sso
/
stores
/
company
SSO Redirection API
curl --request POST \
  --url https://stagingstores.xoxoday.com/chef/v1/oauth/sso/stores/company \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '
{
  "user_input": "john.doe@example.com",
  "tpd": {
    "auth_token": "Your own key",
    "unique_id": "736517181",
    "email": {
      "default_value": "john.doe@example.com",
      "editable": true,
      "hidden": false,
      "support_alternate": true
    },
    "phone": {
      "default_value": "987654321",
      "phone_code": "+91",
      "editable": false,
      "hidden": false
    },
    "otp": "primary_email"
  }
}
'
{
  "data": {
    "ssoToken": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9..."
  }
}

Documentation Index

Fetch the complete documentation index at: https://help-plum.xoxoday.com/llms.txt

Use this file to discover all available pages before exploring further.

Key Pointers

  1. The SSO API is based on SAML 2.0 standards.
  2. If the user account does not exist in Xoxoday, one will be created automatically.
  3. The API returns an ssoToken which is used for redirecting the user securely into the StoreFront.

Implementation Details

Headers

  1. Content-Type: application/json
  2. Authorization: Bearer <access_token>
Note: Learn how to generate access token here.

Redirection URL format

{OAUTH_URL}/chef/v1/oauth/redirect/stores/{ssoToken}
for:
Note: Replace the with the SSO token received in the response of this API.

Editable Fields at Checkout

  1. Email and phone values can be marked as editable or non-editable at checkout.
  2. Fields can also be hidden if you don’t want them shown to the user.

OTP Verification

You can configure OTP validation for checkout on primary email, primary phone, alternate email, or disable it.

SSO Redirection API Request Schema

ParameterTypeDescription
user_inputStringEnd user’s email address. Used to create or fetch the account in Xoxoday.
tpdObjectThird-party data object containing user identity, authorization details and any custom parameter for each user.
tpd.auth_tokenStringToken provided by the client. Xoxoday will use this for subsequent API calls (balance, transaction, refund, verification).
tpd.unique_idStringUnique identifier for the user
tpd.emailObjectEmail configuration object for the user.
tpd.email.default_valueStringActual email ID of the user. Can be updated without affecting account history.
tpd.email.editableBooleanIf false, the user cannot edit the email at checkout.
tpd.email.hiddenBooleanIf true, the email field will be hidden at checkout.
tpd.email.support_alternateBooleanIf false, no alternate email option will be shown.
tpd.phoneObjectPhone configuration object for the user.
tpd.phone.default_valueStringPhone number of the user.
tpd.phone.phone_codeStringCountry code of the phone number (e.g., +91).
tpd.phone.editableBooleanIf false, the user cannot edit the phone number at checkout.
tpd.phone.hiddenBooleanIf true, the phone field will be hidden at checkout.
tpd.otpStringMode of OTP validation. Possible values: primary_email, primary_phone, alternate_email, none.

Response Schema

ParameterTypeDescription
data.ssoTokenStringUnique token generated upon successful validation. Used to redirect the user into Xoxoday StoreFront. Default validity is 14 days.

Authorizations

Authorization
string
header
required

Authorization: Bearer <access_token>

Body

application/json
user_input
string<email>
required

End user's email address. Used to create or fetch the account in Xoxoday.

Example:

"john.doe@example.com"

tpd
object
required

Third-party data object containing user identity and authorization details.

Response

SSO token generated successfully.

data
object