Payments API
Build payment, checkout, session, quote, rail, and settlement API flows with server-side credentials, idempotency, and webhook reconciliation.
The payments API docs cover the published server-side surfaces that create payment or ramp state. In the current public product surface, 0Gate sessions are the clearest hosted integration path: your backend creates a session with a secret key, your frontend mounts the hosted widget with browser-safe values, and your webhook endpoint receives the durable status signal.
0Base product documentation remains available under Products, but 0Base endpoint-level partner API pages are not published yet. Do not build against unpublished 0Base endpoint paths.
Payment APIs are server-side by default
Never create sessions, payment intents, quotes, pay-ins, pay-outs, refunds, or settlement records from browser code with a secret key. Browser code can receive only product-approved browser-safe values, such as a publishable key or a session-scoped client secret.
What this page covers
- Which payment API groups are currently published.
- How 0Gate hosted sessions create payment and ramp state.
- Required credential placement for payment flows.
- Idempotency and retry behavior for state-changing writes.
- How webhooks and settlement records should be used for final state.
Payment API map
| Area | Product | Purpose | Availability boundary |
|---|---|---|---|
| Sessions | 0Gate | Create, retrieve, list, and cancel hosted payment/ramp sessions. | Default hosted path where your account is enabled. |
| Embed bootstrap | 0Gate | Mint a short-lived embed token from a publishable key plus session client secret. | Browser-safe only for allowed origins. |
| Capabilities | 0Gate | Read countries, currencies, assets, payment methods, payout methods, and eligibility. | Do not turn examples into support promises. |
| Quote preview | 0Gate | Return indicative quotes before a hosted session is completed. | Not a locked settlement quote. |
| Signed quotes and rails | 0Gate | Lock rates and redeem pay-in/pay-out rails for entitled partners. | Entitlement-gated; avoid broad public claims. |
0Gate hosted payment flow
Use POST /v1/gate_sessions when you want 0Bit to host KYC, payment, compliance, and settlement UX. The request binds amount and currency on your server. The response includes a client_secret that is safe to pass to the browser for that one session.
Create a session
curl -X POST https://gate-api-sandbox.0bit.app/v1/gate_sessions \
-H "Authorization: Bearer sk_test_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" \
-H "Content-Type: application/json" \
-H "Idempotency-Key: 00000000-0000-4000-8000-000000000123" \
-d '{
"amount": "100.00",
"currency": "EUR",
"return_url": "https://partner.example/complete",
"target_token": "USDT",
"metadata": {
"order_id": "order_test_123"
}
}'The response includes a session id and a browser-safe client_secret. Retrieval endpoints should not return the raw client secret again.
Session lifecycle
| Operation | Use it for | Important behavior |
|---|---|---|
POST /gate_sessions | Create a hosted payment/ramp session. | Send an Idempotency-Key; duplicate retries should collapse to the original response. |
GET /gate_sessions/{id} | Read trusted server-side state. | Does not expose the raw client secret. |
POST /gate_sessions/{id}/cancel | Cancel an open session. | Terminal sessions should not be treated as cancelable. |
GET /transactions | Reconcile partner transaction records. | Use with webhook events and your own order ids. |
GET /transactions/{refid} | Retrieve a specific transaction reference. | Keep refid, request ids, and event ids in logs. |
Capabilities and eligibility
Capability endpoints are read-only planning tools. They help your integration decide what to show, but they do not guarantee every market, asset, rail, or corridor is available for every partner.
| Endpoint group | Purpose | Safe implementation behavior |
|---|---|---|
GET /capabilities/countries | Read supported countries where configured. | Filter UI choices; do not hard-code stale copies. |
GET /capabilities/currencies | Read fiat currencies. | Pair with current environment and entitlement checks. |
GET /capabilities/assets | Read supported crypto assets. | Validate target tokens before creating sessions. |
GET /capabilities/payment-methods | Read buy-side methods. | Use for display and eligibility decisions. |
GET /capabilities/payout-methods | Read sell-side payout methods. | Do not publish provider or bank-rail details. |
GET /capabilities/eligibility | Probe whether a region/currency/asset is usable. | Branch on machine-readable unavailable reasons. |
Eligibility answers should be treated as decision input, not a money path. If a region is unsupported or unresolved, return a clear disabled state in your UI instead of sending the user into a session that will fail later.
Quotes and rails
Quote previews can help a user understand indicative pricing before they commit. Signed quotes and rail operations are stronger: they are entitlement-gated, rate-locking, and one-time redeemable. Keep those calls server-side.
| Operation area | Purpose | Boundary |
|---|---|---|
POST /quotes/preview | Preview quotes across applicable methods. | Indicative only unless quote-preview locks are enabled. |
POST /quotes | Lock a signed quote. | Requires the appropriate entitlement; send idempotency. |
GET /quotes/{id} | Retrieve a signed quote. | Use before redeeming or reconciling. |
POST /rails/pay_ins | Initiate fiat pay-in for a session user. | Server-side, KYC-approved user derived from the session. |
POST /rails/pay_outs | Initiate fiat pay-out for a session user. | Server-side; bank or payout details should not come from public docs. |
GET /rails/pay_ins/{id} / GET /rails/pay_outs/{id} | Retrieve rail records. | Use for support and reconciliation. |
Do not expose rail internals
Public docs can explain the shape of an entitled payment flow. They should not expose provider names, bank details, treasury routing, risk controls, or private operational processes.
Unpublished product APIs
0Base and 0Link are product documentation surfaces, not published partner API references today. Their product pages can explain object models, routing boundaries, reporting expectations, and launch-readiness requirements, but they should not publish endpoint paths, request schemas, or partner API examples until those products are ready for partner API access.
| Product | Current public documentation | API publication status |
|---|---|---|
| 0Base | Merchant checkout, payment objects, settlement records, and operational readiness. | Partner API pages hidden until release. |
| 0Link | Routing model, route review, fallback behavior, quote availability, and settlement handling. | Partner API pages hidden until release. |
Idempotency and retries
Every payment write should be treated as a single logical operation. Persist your idempotency key next to the order, checkout, quote, payment intent, or rail record.
| Scenario | Correct behavior |
|---|---|
| Network timeout after a write | Retry with the same idempotency key. |
| User double-clicks submit | Send the same logical write once, or reuse the same idempotency key. |
429 or retryable 5xx | Retry with bounded backoff and jitter. |
| Validation error | Fix the request; do not retry unchanged. |
| State conflict | Retrieve current object state and branch intentionally. |
Reconciliation contract
Payment APIs create state, but signed webhooks and trusted server reads confirm durable state. Store these fields together:
| Field | Why it matters |
|---|---|
| Your order id | Joins 0Bit state to your product state. |
| 0Bit object id | Locates the session, payment intent, quote, rail, or report record. |
| Idempotency key | Proves duplicate writes represent one logical operation. |
| Request id | Helps support trace a specific API call. |
| Event id | Dedupes webhook deliveries. |
| Status and timestamps | Explain current state and timing. |