An SMS that says "Your booking is confirmed" without the date, time, or a link to details forces the customer to open the app or website to find out when they need to show up. That friction is not cosmetic — customers forward confirmation SMSes to themselves as reminders, screenshot them, and share them with family. A generic message provides none of that utility. TCPA (47 U.S.C. § 227) requires an identification element in transactional SMS; a booking-specific link with a token also serves the dual purpose of providing one-click access to reschedule or cancel. A login-required URL collapses that utility for customers who are not currently authenticated.
Medium because missing booking specifics in the SMS body creates a poor customer experience and increases inbound support contacts, without meeting the transactional informational standard TCPA implies.
Update the SMS template in src/lib/sms-templates.ts to include all three required elements — date/time, timezone, and a short token-based link under 50 characters:
export function confirmationSmsTemplate(booking: Booking) {
const date = formatDate(booking.start_time, 'MMM d, h:mm a')
const tz = booking.timezone ?? 'UTC'
const link = `https://yoursite.com/b/${booking.short_id}` // ≤ 50 chars
return `Booking confirmed: ${date} ${tz}. Details: ${link}`
}
Verify the link target handles unauthenticated access via the short_id token — it must not redirect to a login page.
ID: booking-notifications-reminders.sms.sms-content
Severity: medium
What to look for: Find the SMS message template or string construction. Enumerate 3 required fields: (1) appointment date, (2) appointment time, (3) URL link to booking details. Verify the link is functional (not a placeholder) and short enough for SMS limits (total SMS under 160 characters, or link under 50 characters). Check if the link requires login — it should use a token for unauthenticated access.
Pass criteria: Enumerate all 3 required elements and list each one found with the template variable or string that renders it. ALL 3 must be present. Link must be under 50 characters (or use a URL shortener). Link must not require login (token-based access). A generic "Your booking is confirmed" message with no specifics does NOT count as pass.
Fail criteria: Any of the 3 elements missing. Link is longer than 50 characters with no shortener. Link requires authentication. SMS body is generic ("Your booking is confirmed") with no specifics.
Skip (N/A) when: SMS is not offered (same criteria as sms-optout-persisted skip).
Detail on fail: Enumerate all 3 fields. For each: "FOUND: [variable]" or "MISSING". Quote the current SMS template text. Example: "SMS template: 'Your booking is confirmed.' — MISSING: date, time, link. No specific booking details included.".
Remediation: Update the SMS template to include all required fields:
// src/lib/sms-templates.ts
export function confirmationSmsTemplate(booking: Booking) {
const date = formatDate(booking.start_time, 'MMM d, h:mm a')
const tz = booking.timezone ?? 'UTC'
const link = `https://yoursite.com/b/${booking.short_id}`
return `Booking confirmed: ${date} ${tz}. Details: ${link}`
}
Cross-reference: Content Quality audit checks message clarity. Accessibility Fundamentals audit checks link accessibility. Email/SMS Compliance audit checks SMS content requirements.