Konfirm
Add to Shopify

Overview

Konfirm is a Shopify app that automatically verifies Cash on Delivery (COD) orders before they ship. When a customer places a COD order, Konfirm immediately sends them a 6-digit OTP via SMS and/or Email. The customer enters the OTP on the Shopify thank-you page or via the link in the message to confirm or cancel their order.

The result is tagged in real time on the Shopify order — cod-confirmed or cod-cancelled — so your fulfilment team always knows which orders are safe to ship.

Key benefits

  • Reduce Return-to-Origin (RTO) losses from unverified COD orders
  • Built-in SMS (Twilio) and Email (Resend) — no setup needed. Optionally bring your own provider.
  • Two verification paths: Shopify checkout extension + standalone OTP page
  • No change to your store's checkout or theme required
  • Embedded dashboard in Shopify admin — no separate login
WhatsApp coming soon. WhatsApp notification delivery is on the roadmap as a third channel alongside SMS and Email.

Installation

1

Install from Shopify App Store

Click Add app on the Konfirm listing page. You'll be redirected through Shopify's OAuth flow to grant the required permissions (read_orders, write_orders).

2

Configure your SMS provider

Go to Settings → SMS and enter your MSG91 API key or Twilio credentials. See SMS Providers for details.

3

Configure Email (optional but recommended)

Go to Settings → Email and enter your SMTP credentials. Konfirm will send OTP emails from your own domain. See Email (SMTP) for details.

4

Enable the checkout extension

In your Shopify admin, go to Online Store → Customize → Thank you page and add the Konfirm COD Verify block. This shows the OTP input widget directly on the order confirmation page.

Webhook registration is automatic. Konfirm registers the orders/create and app/uninstalled webhooks automatically during installation. You don't need to configure anything in Shopify manually.

Requirements

RequirementDetails
Shopify planAny paid Shopify plan (Basic and above)
SMSNone required — Konfirm includes built-in SMS via Twilio. Optional: bring your own MSG91 or Twilio account.
EmailNone required — Konfirm includes built-in email via Resend. Optional: configure custom SMTP for your own domain.
COD gatewayA Shopify payment method configured for COD / Cash on Delivery
Checkout extensionOnline Store 2.0 theme (required for the OTP widget on the thank-you page)

SMS Providers

By default, Konfirm sends SMS via its own built-in Twilio account. No setup is required — install the app and OTPs go out immediately.

If you want to use a custom sender ID, a DLT-approved template (India), or your own Twilio billing, enable Use your own SMS provider in Settings → SMS and enter your credentials below.

MSG91 (optional — India recommended)

Recommended for high-volume SMS in India. Required if you need a DLT-approved sender ID.

FieldWhere to find it
API KeyMSG91 dashboard → API → Auth Key
Sender IDYour DLT-approved sender ID (e.g. MYSHOP)
Template IDYour DLT-approved template ID (required for India)
India DLT compliance. If you are sending SMS to Indian phone numbers, your MSG91 sender ID and message template must be registered and approved under India's DLT (Distributed Ledger Technology) system via the MSG91 portal. Approval typically takes 1–3 business days. This is a regulatory requirement — not a Konfirm limitation.

Twilio (optional — bring your own account)

Use this if you want OTPs billed to your own Twilio account or need a specific Twilio number.

FieldWhere to find it
Account SIDTwilio console → Dashboard → Account Info
Auth TokenTwilio console → Dashboard → Account Info
From numberYour Twilio phone number or Messaging Service SID
Only one SMS provider is active at a time. Switch providers from Settings → SMS Provider at any time without losing any order data.

Email

By default, Konfirm sends OTP emails via its own built-in Resend mailer (from noreply@konfirm.pacificsoftwares.com). No SMTP setup is required.

To send emails from your own domain (e.g. orders@yourstore.com), enable Use custom SMTP in Settings → Email and fill in the fields below.

SettingDescription
SMTP HostYour mail server hostname, e.g. smtp.gmail.com
SMTP Port587 (TLS) or 465 (SSL). Default: 587
Encryptiontls, ssl, or none
UsernameYour SMTP login (usually your email address)
PasswordYour SMTP password or app-specific password
From addresse.g. orders@yourstore.com
From namee.g. YourStore Orders

Common provider settings

# Gmail (use an App Password if 2FA is enabled) SMTP Host: smtp.gmail.com Port: 587 Encryption: tls Username: you@gmail.com # SendGrid SMTP Host: smtp.sendgrid.net Port: 587 Username: apikey Password: SG.xxxxxxxxxxxxxxxx (your API key) # Mailgun SMTP Host: smtp.mailgun.org Port: 587 Username: postmaster@mg.yourdomain.com
Use the Send test email button in Settings to verify your SMTP configuration before going live.

Message Templates

Both the SMS body and the email body are fully customisable from Settings → Templates. Use the variable placeholders below to personalise each message.

Default SMS template

Hi {name}, your COD order {order} of {amount} {currency} needs verification. Your OTP is {otp}. Enter on the order page or verify here: {verify_url}

Available variables

VariableExample valueDescription
{name}Aarav SharmaCustomer's first name
{order}#1043Shopify order number
{amount}1,299.00Order total, formatted
{currency}INROrder currency code
{otp}482917The 6-digit OTP code
{verify_url}https://…/verify/t4x…Direct link to the OTP entry page
SMS length. Keep your SMS template under 160 characters to avoid carrier splitting into multiple messages. The default template is ~140 characters.

Retry Logic Pro

On the Pro plan, Konfirm will automatically re-send the OTP if the customer hasn't responded after a configurable delay.

SettingDefaultRange
Retry count10 – 3
Retry delay30 minutes15 – 120 minutes

If all retries are exhausted and the order is still unverified after 24 hours, the order status is set to expired and tagged cod-expired in Shopify.

Auto-cancel on Rejection Pro

When enabled, Konfirm will automatically call the Shopify Cancel Order API the moment a customer chooses to cancel via the OTP page. This removes manual work for your team.

  • The cancellation reason is set to customer in Shopify
  • Shopify's default cancellation email is suppressed — Konfirm has already notified the customer
  • A note is added to the order timeline: "Cancelled by customer via Konfirm COD verification"
This setting is irreversible for the order. Enable it only if your fulfilment workflow supports automatic cancellations.

Order Flow

Here is the complete lifecycle of a COD order through Konfirm:

  1. Customer places a COD order on your Shopify store.
  2. Shopify fires an orders/create webhook to Konfirm within seconds.
  3. Konfirm validates the order is COD, checks the free-plan limit, and queues a background job.
  4. The job creates a CodOrder record and a unique 6-digit OTP token (valid 24 hours).
  5. A second job fires 15 seconds later and sends the OTP via SMS and/or Email.
  6. The customer enters their OTP on the thank-you page or the verification link.
  7. On success, the order status is updated atomically and the Shopify order is tagged.

Order status values

StatusShopify tagMeaning
pendingOTP sent, waiting for customer response
confirmedcod-confirmedCustomer entered correct OTP and chose Confirm
cancelledcod-cancelledCustomer entered correct OTP and chose Cancel
expiredcod-expiredOTP expired after 24 hours with no response

OTP Verification

Customers can verify their order via two paths:

Path 1 — Shopify thank-you page

The Konfirm checkout extension injects an OTP entry widget on the Shopify order confirmation (thank-you) page. The widget polls for the OTP in the background and shows the entry form once the OTP is ready (typically 15–30 seconds after checkout).

Path 2 — Verification link

The SMS and email both contain a direct link (/verify/{token}). Tapping the link opens a mobile-optimised page where the customer types their OTP and clicks Confirm or Cancel.

OTP security

  • OTPs are 6-digit numeric codes, generated securely per order
  • Each OTP is valid for 24 hours and single-use
  • After 5 incorrect attempts the token is locked
  • Non-numeric or wrong-length inputs are rejected before consuming an attempt
  • Confirmation is atomic — two simultaneous submits cannot both succeed

Checkout Extension

Konfirm includes a Shopify checkout extension that renders an OTP entry widget on the purchase.thank-you page. No theme code changes are required.

Activating the extension

  1. In your Shopify admin, go to Online Store → Themes → Customize
  2. In the page selector, choose Order status / Thank you
  3. Click Add block and search for Konfirm COD Verify
  4. Add and position the block, then click Save
The extension only shows for COD orders. For non-COD orders it renders nothing, so it is safe to add to all pages.

How the widget works

After checkout, the extension polls /api/checkout/status every 2 seconds until the background job has generated the OTP (usually within 15–30 seconds). Once ready, the OTP input form appears. The customer enters their code and clicks Confirm or Cancel.

Order Tags

Konfirm writes tags directly to the Shopify order via the Admin API. You can use these tags to filter orders, trigger automations in Shopify Flow, or drive your fulfilment logic.

TagWhen applied
cod-confirmedCustomer confirmed their order
cod-cancelledCustomer cancelled their order
cod-expiredOTP expired after 24 hours with no response

Using tags in Shopify Flow

Example automation: When order tag contains cod-confirmed → assign to fulfilment queue.

Example automation: When order tag contains cod-cancelled → notify fulfilment team, skip picking.

Free Plan

  • 30 COD confirmations per month, per store
  • SMS via MSG91 or Twilio (your own credentials)
  • Email via any SMTP
  • Real-time order tagging
  • Dashboard
  • No retry logic, no auto-cancel

The counter resets on the 1st of each calendar month. When the limit is reached, new COD orders are not processed until the counter resets or you upgrade to Pro.

Pro Plan

  • Unlimited COD confirmations
  • Smart retry logic (up to 3 retries, configurable delay)
  • Auto-cancel on rejection
  • Custom SMS and email message templates
  • Priority support
  • 7-day free trial

Billing is handled by Shopify's recurring app charge — you can upgrade and cancel directly from your Shopify admin at any time.

COD Detection

Konfirm identifies COD orders by inspecting the gateway field on the Shopify order payload. Orders are treated as COD if the gateway value matches any of the following:

cash on delivery cod manual (empty string) or any gateway that contains the substring "cod"

If you use a custom COD gateway name, contact support to add it to your detection rules.

Webhooks

Konfirm registers the following webhooks automatically on install. All are verified with Shopify's HMAC signature.

TopicPurpose
orders/createTriggers COD detection and OTP dispatch
app/uninstalledMarks the shop as uninstalled, revokes access token
customers/data_requestGDPR — emails customer data export to shop owner
customers/redactGDPR — anonymises customer PII in Konfirm database
shop/redactGDPR — deletes all shop data 48 hours after uninstall
Webhook endpoints always respond with 200 OK immediately and process the payload asynchronously via a background queue. This ensures Shopify never retries due to a slow response.

GDPR Compliance

Konfirm implements all three Shopify-mandatory GDPR webhooks:

customers/data_request

When Shopify sends a data request for a customer, Konfirm emails a summary of all COD order records held for that customer (order number, amount, status, date) to the shop owner's registered email address.

customers/redact

Anonymises customer_phone, customer_email, and sets customer_name to [redacted] for all matching COD orders within that shop. The scope is strictly limited to the requesting shop — no cross-shop data is affected.

shop/redact

Deletes all data for a shop (including COD orders, SMS attempts, tokens, and settings) 48 hours after uninstall. Only triggers if the shop has an uninstalled_at timestamp — active shops are never affected.

FAQ

Does Konfirm work out of the box without any configuration?

Yes. Konfirm includes built-in SMS (via Twilio) and built-in email (via Resend). Install the app, add the checkout extension to your theme, enable COD as a payment method, and you're done. No API keys or SMTP setup needed unless you want to use your own provider.

What happens if the SMS fails to deliver?

Konfirm logs every SMS attempt. If the SMS provider returns an error, the job is retried up to 3 times with a 2-minute backoff. If all retries fail, the attempt is logged as failed and you'll see it in the Dashboard. Email is sent independently as a fallback.

Does Konfirm work with headless / custom storefronts?

Partially. The webhook-based OTP dispatch works for any Shopify store regardless of storefront. The checkout extension (OTP widget on the thank-you page) requires Shopify's native checkout and Online Store 2.0. For headless storefronts, customers use the link in the SMS/email to verify.

Will it interfere with my existing order automations?

No. Konfirm only reads orders via the webhook and writes order tags. It does not modify order status, payment status, fulfilment status, or any other Shopify order field beyond tags.

Can I change the verification link domain?

The verification link uses your Konfirm app URL. Custom domain support is on the roadmap.

Contact & Support

Have a question not covered here? We're happy to help.

When contacting support, include your Shopify store domain and the order number(s) you're having trouble with. This helps us resolve issues much faster.