Instead of them redeeming a cashu token they can just prove they have the code, or better, contain a signed statement in the sent envelope (this also means zero-interaction after request, and the proof can be validated, this also means bogus requests will help mask real ones for privacy)