Skip to main content
The Gate API powers agentic signup flows. It manages a public service registry, organization-owned Gate services, signup sessions, agent tokens, and fresh dashboard login sessions that require a new browser approval. All Gate endpoints are mounted at /v1/gate/*. Workflow endpoints use Gate-native credentials such as gtpoll_*, agt_*, one-time approval tokens, and one-time dashboard login codes. Business backend endpoints use the standard Authorization: Bearer sk_* header plus Gate-specific scopes. Service metadata such as website, docs_url, and dashboard_login_url is authoritative in the Gate registry and is resolved from the session’s service_id.

Endpoints

Service registry

GET /v1/gate/registry
endpoint
List all services available for signup.
GET /v1/gate/registry/:serviceId
endpoint
Look up a specific service by ID.
Only services that are both active and discoverable appear in the public registry. The env_vars array lists the customer-owned keys the CLI may write locally. Gate-owned login credentials are derived internally and are not exposed in the registry. When dashboard login is enabled, the CLI writes the Gate login token to .env under <SERVICE_ID>_GATE_AGENT_TOKEN (for example FOIL_GATE_AGENT_TOKEN).

Organization-owned Gate services

Businesses manage their own Gate service definitions under /v1/gate/services.
GET /v1/gate/services
endpoint
List the Gate services owned by the authenticated organization. Requires Authorization: Bearer sk_... plus the gate:services:read scope.
POST /v1/gate/services
endpoint
Create a Gate service for the authenticated organization. Requires Authorization: Bearer sk_... plus the gate:services:manage scope.
GET /v1/gate/services/:serviceId
endpoint
Load one organization-owned Gate service. Requires Authorization: Bearer sk_... plus the gate:services:read scope.
PATCH /v1/gate/services/:serviceId
endpoint
Partially update an organization-owned Gate service. Requires Authorization: Bearer sk_... plus the gate:services:manage scope.
DELETE /v1/gate/services/:serviceId
endpoint
Soft-disable an organization-owned Gate service by setting status = "disabled". Requires Authorization: Bearer sk_... plus the gate:services:manage scope.
Service IDs are the canonical public slugs used by npx signup <service>. They must be 3-32 characters, lowercase, and use only letters, numbers, dashes, or underscores. Each organization may have at most 5 Gate services total.

Signup sessions

POST /v1/gate/sessions
endpoint
Create a new signup session. Called by the CLI.
Request body: Response (201):
The poll_token is returned once and used to poll for the session result.
GET /v1/gate/sessions/:gateSessionId
endpoint
Poll a session’s status. Requires Authorization: Bearer gtpoll_....
Response when pending:
Response when approved:
docs_url comes from the registry entry for the session’s service_id, not from the provisioning webhook response.
Approved sessions return encrypted delivery envelopes only. The same immutable ciphertext bundle can be re-polled until the CLI acknowledges receipt. After a successful ack, or after the 24-hour delivery TTL expires, Gate purges the stored envelopes and refuses redelivery.

POST /v1/gate/sessions/:gateSessionId/ack
endpoint
Acknowledge successful local decryption and receipt of the encrypted delivery bundle. Requires Authorization: Bearer gtpoll_....
Request body: Response (200):

Get consent page data for rendering. Called by the hosted consent page.

POST /v1/gate/sessions/:gateSessionId/approve
endpoint
Submit consent approval. Called by the consent page after the user clicks Approve.
Request body:
POST /v1/gate/sessions/:gateSessionId/cancel
endpoint
Cancel a pending session. Called via sendBeacon when the consent page is closed.

Agent tokens

Agent tokens (agt_ prefix) are Gate-owned login credentials issued only when a service enables dashboard_login_url. The CLI stores them locally under the derived env key <SERVICE_ID>_GATE_AGENT_TOKEN, and businesses can verify or revoke them with their own sk_* secret key.
POST /v1/gate/agent-tokens/verify
endpoint
Verify an agent token. Requires Authorization: Bearer sk_... plus the gate:agent_tokens:verify scope.
Request body:
Response (valid):
Response (invalid/revoked):
Returns Cache-Control: no-store.
POST /v1/gate/agent-tokens/revoke
endpoint
Revoke an agent token. Requires Authorization: Bearer sk_... plus the gate:agent_tokens:revoke scope.
Request body:
Returns 204 No Content on success.

Dashboard login sessions

Dashboard login always requires a fresh Gate approval flow and is available only for services that define dashboard_login_url.
POST /v1/gate/login-sessions
endpoint
Create a new dashboard login session. Requires Authorization: Bearer agt_....
Request body:
Response (201):
After the user approves the hosted Gate page, POST /v1/gate/sessions/:gateSessionId/approve returns both:
  • code: a one-time dashboard login token for CLI callback handoff
  • redirect_url: the browser redirect to your dashboard’s /auth/gate?code=... route

POST /v1/gate/login-sessions/consume
endpoint
Verify and consume a short-lived dashboard login token. Called by the company’s dashboard. One-time use. Requires Authorization: Bearer sk_... plus the gate:login_sessions:consume scope.
Request body:
Response:

Rate limits

Error codes