/v1/gate/*.
Workflow endpoints use Gate-native credentials such as gtpoll_*, agt_*, one-time approval tokens, and one-time dashboard login codes.
Business backend endpoints use the standard Authorization: Bearer sk_* header plus Gate-specific scopes.
Service metadata such as website, docs_url, and dashboard_login_url is authoritative in the Gate registry and is resolved from the session’s service_id.
Endpoints
Service registry
List all services available for signup.
Look up a specific service by ID.
active and discoverable appear in the public registry.
The env_vars array lists the customer-owned keys the CLI may write locally.
Gate-owned login credentials are derived internally and are not exposed in the registry. When dashboard login is enabled, the CLI writes the Gate login token to .env under <SERVICE_ID>_GATE_AGENT_TOKEN (for example FOIL_GATE_AGENT_TOKEN).
Organization-owned Gate services
Businesses manage their own Gate service definitions under/v1/gate/services.
List the Gate services owned by the authenticated organization. Requires
Authorization: Bearer sk_... plus the gate:services:read scope.Create a Gate service for the authenticated organization. Requires
Authorization: Bearer sk_... plus the gate:services:manage scope.Load one organization-owned Gate service. Requires
Authorization: Bearer sk_... plus the gate:services:read scope.Partially update an organization-owned Gate service. Requires
Authorization: Bearer sk_... plus the gate:services:manage scope.Soft-disable an organization-owned Gate service by setting
status = "disabled". Requires Authorization: Bearer sk_... plus the gate:services:manage scope.npx signup <service>. They must be 3-32 characters, lowercase, and use only letters, numbers, dashes, or underscores. Each organization may have at most 5 Gate services total.
Signup sessions
Create a new signup session. Called by the CLI.
Response (201):
poll_token is returned once and used to poll for the session result.
Poll a session’s status. Requires
Authorization: Bearer gtpoll_....docs_url comes from the registry entry for the session’s service_id, not from the provisioning webhook response.
Approved sessions return encrypted delivery envelopes only. The same immutable ciphertext bundle can be re-polled until the CLI acknowledges receipt. After a successful ack, or after the 24-hour delivery TTL expires, Gate purges the stored envelopes and refuses redelivery.
Acknowledge successful local decryption and receipt of the encrypted delivery bundle. Requires
Authorization: Bearer gtpoll_....
Response (200):
Get consent page data for rendering. Called by the hosted consent page.
Submit consent approval. Called by the consent page after the user clicks Approve.
Cancel a pending session. Called via
sendBeacon when the consent page is closed.Agent tokens
Agent tokens (agt_ prefix) are Gate-owned login credentials issued only when a service enables dashboard_login_url. The CLI stores them locally under the derived env key <SERVICE_ID>_GATE_AGENT_TOKEN, and businesses can verify or revoke them with their own sk_* secret key.
Verify an agent token. Requires
Authorization: Bearer sk_... plus the gate:agent_tokens:verify scope.Cache-Control: no-store.
Revoke an agent token. Requires
Authorization: Bearer sk_... plus the gate:agent_tokens:revoke scope.204 No Content on success.
Dashboard login sessions
Dashboard login always requires a fresh Gate approval flow and is available only for services that definedashboard_login_url.
Create a new dashboard login session. Requires
Authorization: Bearer agt_....POST /v1/gate/sessions/:gateSessionId/approve returns both:
code: a one-time dashboard login token for CLI callback handoffredirect_url: the browser redirect to your dashboard’s/auth/gate?code=...route
Verify and consume a short-lived dashboard login token. Called by the company’s dashboard. One-time use. Requires
Authorization: Bearer sk_... plus the gate:login_sessions:consume scope.