MisarMisar Docs
MisarMailMisar.BlogMisarReachMisarPostMisar.DevMisarSEOMisar PlatformMisar SSO
API Reference

Consent & Opt-in API

Double opt-in capture, STOP/opt-out handling, and the delivery-events webhook — how MisarReach proves consent and honours revocation across email, SMS, and WhatsApp.

MisarReach gates every consent-required send (SMS, WhatsApp, and the reply-window social channels) on a recorded opt-in, and honours a STOP the instant it arrives on any channel. These endpoints are how that consent is captured and revoked. They are public — the person using them is a prospect, not a MisarReach account holder.

The consent gate fails closed: a send with no matching opt-in record is blocked. A blocked message costs one message; an unconsented SMS costs $500–$1,500 under the TCPA, with a private right of action.

Double opt-in

Consent is captured in two legs. Nothing is recorded until the prospect clicks the confirmation link — a single-click form submission is not consent under GDPR/Planet49, and CASL puts the burden of proof on the sender.

Request a confirmation

POST api.misar.io/reach/api/consent/request

Sends the prospect a confirmation message. It records nothing.

{
  "w": "<public opt-in slug>",
  "channel": "sms" | "whatsapp" | "email",
  "address": "+14155550100"
}

Rate-limited per source IP and per target address (3 / 24h) so it can't be used to blast one number with confirmation messages. Always returns a generic 200 — confirming whether an address is already known would leak the workspace's contact list.

Confirm

GET api.misar.io/reach/api/consent/confirm?token=<token>

The link in the confirmation message. Clicking it writes the express-consent record and redirects to a success page. The token is HMAC-signed, carries the exact disclosure text the prospect saw, expires in 48h, and is domain-separated (typ: "consent") so it cannot be replayed as any other token.

Proof-of-consent is captured on confirm — user agent, referer, IP, and a SHA-256 of the disclosure — because under CASL/TCPA the sender must be able to prove what the person agreed to.

Public opt-in page

GET /opt-in/<slug> renders the hosted opt-in form. The consent checkbox is unticked and required — a pre-ticked box is not consent.

Opt-out (STOP)

Revocation is channel-agnostic and always honoured.

  • SMS — Twilio delivers inbound messages to api.misar.io/reach/api/sms/inbound. STOP, UNSUBSCRIBE, and any opt-out phrased "in a reasonable manner" (e.g. "take me off your list") suppress the number and revoke consent.
  • WhatsApp — inbound STOP (including the tappable "Stop promotions" button) arrives on the Meta webhook (.../api/webhooks/meta) and does the same.

A revocation both suppresses the address and clears its consent record, so an opt-out survives a re-import of the same lead.

These inbound webhook routes are unauthenticated by necessity (Twilio and Meta carry no session), and are verified by provider signature, fail-closed. They are exempt from the SSO middleware.

Delivery-events webhook

POST api.misar.io/reach/api/webhooks/mail-events

MisarMail posts delivery, open, click, and bounce events back to MisarReach here. Requests are signed with an HMAC over {timestamp}.{body} (x-reach-signature + x-reach-timestamp) and rejected if older than 5 minutes, so a captured event cannot be replayed to cancel a recipient's sequence.

Country & channel rules

RegionCold emailCold SMS/voiceDirect mail
USOpt-out (CAN-SPAM)Consent (TCPA)Allowed
DE / AT / CH / LIProhibitedProhibitedAllowed
CA / AUPublished-address only (CASL)ConsentAllowed
IN (+91)DLT registration requiredAllowed

Sends that a region prohibits are recorded as skipped with a reason, never silently dropped.