Skip to main content
Gate issues an agt_ agent token for every successful signup. Developers include this token in API calls to your service. Verify it with a single HTTP call to Gate.

Verify a token

app.use(async (req, res, next) => {
  const token = req.headers.authorization?.replace('Bearer ', '');

  if (token?.startsWith('agt_')) {
    const resp = await fetch('https://api.usefoil.com/gate/agent-tokens/verify', {
      method: 'POST',
      headers: {
        'Content-Type': 'application/json',
        'Authorization': `Bearer ${process.env.FOIL_SECRET_KEY}`,
      },
      body: JSON.stringify({ token }),
    });
    const { data } = await resp.json();

    if (!data.valid) return res.status(401).json({ error: 'Invalid token' });
    req.gateAccountId = data.gate_account_id;
  }

  next();
});

Verification response

{
  "data": {
    "valid": true,
    "gate_account_id": "gacct_...",
    "status": "active",
    "created_at": "2026-04-01T..."
  }
}
Invalid or revoked tokens return { "data": { "valid": false } }.

Caching

The verify endpoint returns Cache-Control: max-age=60. Cache results to avoid hitting Gate on every request.

Token lifecycle

  • Issued: on every successful signup via Gate
  • Expires: 90 days after last use (rolling expiry)
  • Revoked: via POST /gate/agent-tokens/revoke or from the dashboard

What’s next