0Gate embed and branding
Bootstrap the 0Gate widget with publishable-key auth, exact-origin checks, short-lived embed tokens, and partner co-branding controls.
The embed API is the browser-safe bridge between a server-created 0Gate session and the hosted widget. Branding APIs control the partner co-branding tokens surfaced into that hosted experience.
Endpoints
| Method | Path | Operation id | Purpose |
|---|---|---|---|
POST | /embed/bootstrap | createEmbedToken | Exchange a publishable key and optional clientSecret for a short-lived embed token. |
GET | /branding | getBranding | Read current partner co-branding tokens. |
PATCH | /branding | updateBranding | Merge documented branding token updates. |
Embed bootstrap
POST /embed/bootstrap is called by the iframe or browser SDK. It uses pk_test_* or pk_live_*, not a secret key. The origin or referer must exactly match the partner's allowed domains; wildcards are not part of the v1 public-safe behavior.
curl -X POST https://gate-api-sandbox.0bit.app/v1/embed/bootstrap \
-H "Authorization: Bearer pk_test_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" \
-H "Content-Type: application/json" \
-d '{
"clientSecret": "gsec_test_123"
}'The response includes an embed token, expiry, partner id, mode, session id, amount/currency fields, optional target token/network, return URL, flow, and related session-scoped values. Treat it as short-lived and scoped to the hosted experience.
Origin checks
| Check | Expected behavior |
|---|---|
| Allowed domain exact match | Bootstrap succeeds. |
| Missing or wrong origin | Bootstrap fails with auth/permission style error. |
| Secret key supplied in browser | Integration bug; move privileged calls server-side. |
| Expired client secret/session | Create or retrieve valid state server-side. |
Branding
Branding tokens are read by the hosted widget through the embed bootstrap flow. All null values mean default 0Gate branding is in effect.
| Field | Rule |
|---|---|
logo_url | Absolute HTTPS URL. |
primary_color | Hex color token such as #FF4B1F. |
secondary_color | Hex color token. |
accent_color | Hex color token. |
brand_name | Partner display name where approved. |
PATCH /branding merges supplied fields onto current branding. Sending one field should not wipe the rest. Unknown keys should be rejected. Use fake values in docs and test mode before publishing live branding.
curl -X PATCH https://gate-api-sandbox.0bit.app/v1/branding \
-H "Authorization: Bearer sk_test_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" \
-H "Content-Type: application/json" \
-H "Idempotency-Key: 00000000-0000-4000-8000-000000000123" \
-d '{
"logo_url": "https://partner.example/logo.png",
"primary_color": "#FF4B1F",
"brand_name": "Partner"
}'Security rules
- Never call privileged session or branding update endpoints from browser code with
sk_*. - Register every production and staging embed origin.
- Use separate sandbox and live publishable keys.
- Keep client secrets session-scoped.
- Treat the embed token as short-lived.
- Use signed webhooks for final state; embed callbacks are UX signals.