Your customers log into the same app your team uses. Name + phone. Done.
The all-in-one mobile app means your customer base doesn't need to download a second app to track their job, see their photos, or tip the tech. They open SalesThumb, type their name + phone, get a 6-digit SMS code, and land on a portal showing only their stuff. Staff get a different login (email + password) and a per-employee mobile_role flag (NONE / INSTALLER / SALES / BOTH) decides which tabs appear. No app-switching, no second download, no separate brand.
Launching soon — get early access.
SalesThumb
Run, book, and track your jobs from one app.
Splash
Customer · Sample Shop LLC
See your job
Type your name + the phone number we have on file.
Sign in
Code sent to ···2821
Enter the 6-digit code
Arrived in 4 seconds. Expires in 10 minutes.
✓ Verified · landing in your portal…
Didn't get it? Resend in 0:42
Verify
Features, zoomed in
The parts that actually move the needle.
Three capabilities built specifically for the day-to-day of a working shop.
Deep dive · 01
One app — tech, sales, customers
The mobile app lives in the App Store / Play Store as a single brand. The first-launch splash shows two big buttons: 'I'm a customer' and 'I'm a team member'. Customer flow is name + phone + SMS code; staff flow is the existing email + password Better-Auth path. The token type written to SecureStore decides which tab group renders on the next launch — customer tabs (Home / Appointments / Photos / Tips) or staff tabs gated by the mobile_role enum.
- Single iOS + Android app, single brand on both stores
- Splash picker on first launch — no friction to find the right path
- Sessions stored in different SecureStore keys so a phone never has both at once
- Push notifications branch by session type (customer push: appt reminders, photos ready; staff push: new jobs, urgent inbox)
SalesThumb · iOS / Android
One binaryEnter your phone
We'll text you a code
No password · no email
Customer · passwordless
Sign in
Shop staff & owners
Password
SSO · 2FA · biometric unlock
Staff · email + password
Auth shape detected at app launch · routes to correct experience
Deep dive · 02
Why name + phone is safer than it sounds
Most apps use email + password (forgettable) or magic links (bounces in spam). Phone-based passwordless is the right shape for a service-business customer who probably booked their original appointment over the phone anyway. Three layers keep it secure: the 6-digit code (10⁶ space), a 5-attempt lockout per code, and a 3-codes-per-hour rate limit per phone. The requestCode endpoint always returns ok:true so an attacker can't enumerate which phones are registered.
- 10⁶ code space + 5-attempt lockout = effectively guess-proof in the 10-min window
- Codes hashed (SHA-256) before storage — DB leak doesn't expose codes
- Phone enumeration prevention (always-ok response) shut at the protocol level
- Token issued on success has 30-day expiry + can be revoked from /app
SalesThumb
Run, book, and track your jobs from one app.
Splash
Customer · Sample Shop LLC
See your job
Type your name + the phone number we have on file.
Sign in
Code sent to ···2821
Enter the 6-digit code
Arrived in 4 seconds. Expires in 10 minutes.
✓ Verified · landing in your portal…
Didn't get it? Resend in 0:42
Verify
What's included
The full capability list.
Everything that ships on day one. No feature-gating surprises inside a single plan.
- Passwordless SMS-code login (6 digits, 10-min TTL, 5-attempt lockout)
- Re-uses the existing 30-day customer portal token format
- Multi-shop disambiguation via name hint + most-recent-appointment heuristic
- Phone normalization shared with the Twilio inbound webhook
- Enumeration-safe: requestCode always returns ok:true regardless of phone match
- 3-codes-per-hour rate limit per phone
- Constant-time hash comparison (SHA-256, no plaintext at rest)
- Mobile session auto-expires after 30 days; re-auth via the same flow
See every angle
A tour of the screens
Every meaningful view, the path through it, and the moments that matter — so you know exactly what you're buying.
One app, two login paths
Customer flow uses passwordless SMS code; staff flow uses email + password.
Both live in the same Expo app on the same App Store listing.
SalesThumb · iOS / Android
One binaryEnter your phone
We'll text you a code
No password · no email
Customer · passwordless
Sign in
Shop staff & owners
Password
SSO · 2FA · biometric unlock
Staff · email + password
Auth shape detected at app launch · routes to correct experience
Customer home — their stuff only
Next appointment, recent photos, payment history, tip jar.
No staff data leaks; the portal token only authorizes the customer's own records.
Welcome back
Sarah
Next appt
Front 2 Ceramic
Sat · 10:30 AM · 2023 Tesla Model Y
Your install · last visit
Invoice #2841
Paid · Apr 4
Warranty cert
Ceramic · lifetime
💚 Tip Mike
100% to techHome
Photos
Pay
Help
Who it's for
Built specifically for…
- Shops whose customer base is phone-first (not email-first)
- Shops who want their customer portal to feel like an app, not a magic link in SMS
- Multi-location franchises where one customer might use 2-3 shops in the chain
What it replaces
The old way…
- 'Send me the link again' phone calls when the magic-link SMS got buried
- Customer-facing apps with email + password (forgotten passwords are the #1 support issue)
- Two separate apps (customer app + employee app) for the same brand
How it works
Set it up once. Run it forever.
- 1
1. Splash → role pick
First launch: 'Are you a customer or team member?' Two big buttons. Customer route asks name + phone; staff route asks email + password.
- 2
2. Code arrives in 4 seconds
Customer types their phone → Twilio fires a 6-digit code via SMS within ~4s. They type it in. Backend hash-compares, mints a 30-day token, stores it in SecureStore.
- 3
3. Customer tabs render
App reads the customer-token key from SecureStore on launch and routes to the customer tab group: Home (next appointment), Appointments (history), Photos (per-job galleries), Settings (notification opts + opt-out from playbook nudges).
How a shop actually uses this
Sarah just got her Tesla tinted at Atlas. The shop rang her up, she paid via Stripe link in the lobby. Two days later she remembers Mike said something about 'check the photos in our app' but she lost the SMS link. She downloads SalesThumb, taps 'I'm a customer', types Sarah Chen + 555-0142, gets a code in 4 seconds, and lands on her appointment with the photo gallery, the warranty cert, and a tip jar. No password, no support call to the shop.
Questions
Good to know.
- What if a phone matches two shops in my chain?
- The verify endpoint resolves to the customer record with the most recent appointment activity — that's almost certainly the shop they're trying to log into. Future enhancement: a shop picker on the second login if multi-shop is common in your customer base.
- What if Twilio is down?
- The customer sees 'Code sent — check your messages' (we don't surface delivery failures, by design — that would leak which phones are registered). They can retry after a minute. Operator can also generate a fallback magic-link from /app/customers/<id> and SMS it manually.
- Can a staff member also be a customer?
- Yes — they'd log in with their staff credentials by default but can also use the customer flow with their personal phone if they want to test the customer experience. The two sessions live in different SecureStore keys so they don't clash.
- Is this PCI / SOC 2 compliant?
- The auth flow itself doesn't touch payment data. The codes are hashed at rest, transmitted over TLS, expire in 10 minutes, and rate-limited. Standard passwordless-SMS pattern that auditors have approved for many SaaS products.
Fits in with
Works with your stack
Twilio
Delivers the 6-digit SMS code
Better-Auth
Powers the staff email+password side
Expo SecureStore
On-device token storage, encrypted at rest
Explore more
Pairs well with
Mobile Apps
The installer app shows today's schedule, captures photos, clocks in/out, and updates job status. The customer app shows appointments, warranties, and photo galleries — branded as your shop in the App Store.
Two-way SMS
Every customer conversation in one inbox. Auto-reminders run 24/7, but when they reply, a human sees it. MMS, templates, merge fields.
Automations
Build rules like 'when a quote is approved, send a deposit SMS and add a calendar hold.' Everything that happens repeatedly should be automated — and nothing should slip through.
Job Photos
Every appointment gets a photo gallery. Techs capture on mobile. Customers see a polished post-install gallery. You protect yourself from 'it was like that when you got it' claims.
Get customer login first at launch.
Launching soon — join the waitlist for early access. At launch: 30-day free trial with full access to every feature on this page, no credit card.
Launching soon — get early access.