Wonderment Tracking Page Authentication and TrackingTokens

Updated by Brian Whalley

By default, your customers can look up their order with just a tracking number or their order number from Shopify. No personally identifying information (PII) is shown on a tracking page or in an API payload from Wonderment. Some stores still have sensitivity around this, for example if their order numbers are sequential. Wonderment's Tracking Page Authentication feature enables you to optionally add a second level of authentication to the order number lookup, by requiring the email address or phone number associated with the order during the lookup.

This feature adds an extra layer of security to your order tracking page, ensuring that only visitors with the order's email address or phone number can access their order information. This article will guide you through the process of enabling this feature and integrating it with your Klaviyo or other integrated accounts using the WondermentTrackingToken.

Tracking Page Authentication is a security feature that protects your order tracking page from unauthorized access. When enabled, customers will be required to provide their email address or phone number to look up their order on your site. This ensures that only the actual customer can view their order details, protecting sensitive information and providing a more secure customer experience.

How to Enable Tracking Page Authentication in Wonderment

There are two steps to enabling Page Authentication. First, change your email, SMS, or other messages that point customer to the tracking page to pass through a new encoded token. This ensures that a customer receiving a message can still easily see their shipment status. Once that's completed, change your tracking page to only work with that encoded token.

Change your integrated platforms to use TrackingToken

If you're using the Wonderment-supplied tracking page variables in other messages, like StorefrontTrackingURL, WondermentOrderTrackingURL or WondermentTrackingURL, you do not need to make any changes.

Your integrated events are already passing through a secured token so that customers can directly open the tracking page from a message. You can verify this is the case by opening a message in one of the platforms and seeing how you link to the tracking page. If you see one of those variables, you're all set.

For example, if you see a variable like this in your messages, you do not need to change anything:

Not using a URL event variable?

If you're not using one of those variables, you can also append the secured Token directly in the message. For example, this is common with headless sites, or sites using multiple tracking pages.

To ensure a seamless experience for customers receiving order updates through other platforms, you'll need to attach a value named WondermentTrackingToken as a variable t to your links. This token allows the tracking links in your Klaviyo emails to work correctly, enabling customers to access their order tracking page without needing to enter additional information.

Here's how to add the WondermentTrackingToken to your Klaviyo messages, if the path to your tracking page is mystore.com/pages/tracking: mystore.com/pages/tracking?t={{event.WondermentTrackingToken}}

In your Klaviyo account, edit each link that goes to your tracking page. The format you are using today is probably something like "?search={{event.OrderName}}" or "?search={{event.TrackingCode}}". Replace the section after the question mark, "search={{event.OrderName}}, with "t={{event.WondermentTrackingToken}}". You can then preview the message and test the link to make sure the new link is working.

In other platforms, you can select the WondermentTrackingToken variable and insert it in your URLs in the spot after the "?t=" to direct people to the completed tracking page. With the WondermentTrackingToken in place, your customers will enjoy a secure and frictionless tracking experience.

Shopify Notifications and Tracking Page Authentication

If you're using Shopify Notifications for transactional email instead of Klaviyo or another platform, you can still use Tracking Page Authentication. Shopify's liquid language supports the necessary encoding to use this.

Instead of the above notifications, add this line to the top of the email: {% capture trackingtoken %}{ "query":"{{order.name}}", "email":"{{order.email}}"}{% endcapture %}

This creates a new variable named trackingtoken that can be added into the links from your Shopify emails - Replace the reference to OrderID or Tracking Number with {{trackingtoken | base64_encode }}. The screenshots below show this example.

Enforcing Tracking Page Authentication

Once you've made sure your messages are formatted correctly, you can set your page to require this validation. To enforce Tracking Page Authentication in Wonderment, follow these steps:

  1. Log in to your Wonderment account.
  2. Navigate to Integrations -> Events.
  3. Look for the Tracking Page Authentication option.
  4. Toggle the switch to turn on the feature.

Once enabled, customers visiting the Search page will be prompted to enter their email address or phone number with their order number to access their order tracking page. Customers can still look up an order with just a tracking number, if they have their tracking number. Wonderment also passes a Token to our integrated platforms, so that email, SMS, or other communications can pass someone directly to the rendered tracking page.

The Wonderment API

If you're a headless store or otherwise using the Wonderment API to interact with packages, you will need to supply the token yourself if you have Tracking Page Authentication enabled.

You can generate a t token yourself by base64 encoding the combination of order name and email address or phone number. For example, here's how to generate the token for node/TypeScript:

const params = {
query: orderName,
email: customerEmail
}
const t = Buffer.from(JSON.stringify(params)).toString('base64')

This t can then be passed as an identifier to the Wonderment API to securely retrieve the shipment data associated with that order.

A phone number can also be used instead of email with the key name phone. When Wonderment generates the token for integration payloads, it uses the order name and email address to generate the token, or the phone number if an email address isn't available (for example, on phone-only checkouts).

const params = {
query: orderName,
phone: phone
}
const t = Buffer.from(JSON.stringify(params)).toString('base64')


How did we do?