Enter Verification Reference
Now authenticated, Sarah enters the reference code from the email. The portal sends this reference along with her authenticated identity to the backend for verification.
🎯 Two Ways to Enter
Manual Entry: Customer types REF-9F2A-47B1 from the email
Pre-filled Link: If they clicked the email link with ?ref= parameter, it's already filled in
Verify Payment Instructions
Enter the reference code from your email to verify the instructions
This code is found in the email you received from your solicitor
🔍 What Gets Sent to Backend
Reference Code
The unique identifier REF-9F2A-47B1 that was embedded in the email by the solicitor when they created the instructions.
Authenticated Identity
Sarah's verified identity from the passkey authentication—the system knows who is making this verification request.
Timestamp
When the verification request was made—helps with audit trails and detecting suspicious patterns.
Cryptographic Proof
The passkey signature proves Sarah is using a legitimate device registered with shepwedd.com, not a phishing site.
🛠️ Behind the Scenes
Browser sends encrypted request: { reference: "REF-9F2A-47B1", credential: passkey_signature }
Backend validates the passkey signature using stored public key—confirms it's really Sarah's device
System prepares to query: "Find instruction record with this reference, check status, permissions, and validity"
Request moves to backend verification service (covered in Step 5)
🎯 Why the Reference Code Matters
🔗 Unique Identifier
Each instruction email gets a unique reference. REF-9F2A-47B1 is tied to this specific bank details instruction for Sarah's matter.
📅 Time-Bound
References can expire or be superseded. If solicitor sends corrected details, the old reference becomes invalid.
🔐 Not Guessable
Generated using cryptographic randomness—attackers can't guess valid reference codes.
🎭 Privacy-Preserving
The reference itself doesn't reveal sensitive details—it's just a pointer to the secure database record.