Consent & Opt-in API
Double opt-in capture, STOP/opt-out handling, and the delivery-events webhook — how MisarReach proves consent and honours revocation across email, SMS, and WhatsApp.
MisarReach gates every consent-required send (SMS, WhatsApp, and the reply-window social channels) on a recorded opt-in, and honours a STOP the instant it arrives on any channel. These endpoints are how that consent is captured and revoked. They are public — the person using them is a prospect, not a MisarReach account holder.
The consent gate fails closed: a send with no matching opt-in record is blocked. A blocked message costs one message; an unconsented SMS costs $500–$1,500 under the TCPA, with a private right of action.
Double opt-in
Consent is captured in two legs. Nothing is recorded until the prospect clicks the confirmation link — a single-click form submission is not consent under GDPR/Planet49, and CASL puts the burden of proof on the sender.
Request a confirmation
POST api.misar.io/reach/api/consent/request
Sends the prospect a confirmation message. It records nothing.
{
"w": "<public opt-in slug>",
"channel": "sms" | "whatsapp" | "email",
"address": "+14155550100"
}Rate-limited per source IP and per target address (3 / 24h) so it can't be used to blast one number with confirmation messages. Always returns a generic 200 — confirming whether an address is already known would leak the workspace's contact list.
Confirm
GET api.misar.io/reach/api/consent/confirm?token=<token>
The link in the confirmation message. Clicking it writes the express-consent record and redirects to a success page. The token is HMAC-signed, carries the exact disclosure text the prospect saw, expires in 48h, and is domain-separated (typ: "consent") so it cannot be replayed as any other token.
Proof-of-consent is captured on confirm — user agent, referer, IP, and a SHA-256 of the disclosure — because under CASL/TCPA the sender must be able to prove what the person agreed to.
Public opt-in page
GET /opt-in/<slug> renders the hosted opt-in form. The consent checkbox is unticked and required — a pre-ticked box is not consent.
Opt-out (STOP)
Revocation is channel-agnostic and always honoured.
- SMS — Twilio delivers inbound messages to
api.misar.io/reach/api/sms/inbound. STOP, UNSUBSCRIBE, and any opt-out phrased "in a reasonable manner" (e.g. "take me off your list") suppress the number and revoke consent. - WhatsApp — inbound STOP (including the tappable "Stop promotions" button) arrives on the Meta webhook (
.../api/webhooks/meta) and does the same.
A revocation both suppresses the address and clears its consent record, so an opt-out survives a re-import of the same lead.
These inbound webhook routes are unauthenticated by necessity (Twilio and Meta carry no session), and are verified by provider signature, fail-closed. They are exempt from the SSO middleware.
Delivery-events webhook
POST api.misar.io/reach/api/webhooks/mail-events
MisarMail posts delivery, open, click, and bounce events back to MisarReach here. Requests are signed with an HMAC over {timestamp}.{body} (x-reach-signature + x-reach-timestamp) and rejected if older than 5 minutes, so a captured event cannot be replayed to cancel a recipient's sequence.
Country & channel rules
| Region | Cold email | Cold SMS/voice | Direct mail |
|---|---|---|---|
| US | Opt-out (CAN-SPAM) | Consent (TCPA) | Allowed |
| DE / AT / CH / LI | Prohibited | Prohibited | Allowed |
| CA / AU | Published-address only (CASL) | Consent | Allowed |
| IN (+91) | — | DLT registration required | Allowed |
Sends that a region prohibits are recorded as skipped with a reason, never silently dropped.