SDKs and libraries

Use the audited 0Gate SDK package names, imports, hosts, retries, and webhook helpers without exposing server-only credentials.

0Gate uses one canonical JavaScript package for Node, browser, and React, plus one Python package. The source-backed package names are @0bit/gate for npm and 0bit-gate for Python.

Preview SDK status

The audited SDK package is version 0.1.4, while the Node runtime user agent still reports gate-node/0.1.0. Treat the SDK as pre-GA until the package owner confirms the release version, registry state, and changelog.

Install

Surface	Install	Import
Node server	`npm install @0bit/gate`	`import { GateClient } from '@0bit/gate'`
Browser bundle	`npm install @0bit/gate`	`import { GateRamp } from '@0bit/gate/browser'`
React	`npm install @0bit/gate`	`import { RampCheckout } from '@0bit/gate/react'`
Python	`pip install 0bit-gate`	`from zerobit.gate import GateClient`

The SDK repo also documents Python extras for django, fastapi, and flask. Do not publish framework-specific examples as production-ready until those packages are built and tested in the release pipeline.

Hosts

The OpenAPI contract declares /v1 server URLs. The SDK constructors take the API origin and append /v1 inside each resource path.

Environment	SDK API origin	REST/OpenAPI base	Widget origin
Production	`https://gate-api.0bit.app`	`https://gate-api.0bit.app/v1`	`https://gate.0bit.app`
Sandbox	`https://gate-api-sandbox.0bit.app`	`https://gate-api-sandbox.0bit.app/v1`	`https://gate-sandbox.0bit.app`
Local	`http://localhost:3000` for SDK API origin, `http://localhost:4000/v1` in the OpenAPI server list	`http://localhost:4000/v1`	`http://localhost:3001`

If you use raw fetch, call the /v1/... path yourself. If you use the SDK, pass the origin only when overriding baseUrl.

import { GateClient } from '@0bit/gate';

const gate = new GateClient({
  apiKey: process.env.OBIT_GATE_SECRET_KEY!,
  baseUrl: 'https://gate-api-sandbox.0bit.app',
});

const session = await gate.sessions.create({
  amount: '100.00',
  currency: 'EUR',
  return_url: 'https://partner.example/checkout/done',
});

Credential placement

Value	Where it lives	Why
`sk_test_` / `sk_live_`	Server only	Creates sessions and reads privileged records.
`pk_test_` / `pk_live_`	Browser or mobile client	Bootstraps the hosted widget only.
`client_secret`	Browser-safe, session-scoped	Binds one hosted experience to one server-created session.
`whsec_*`	Server only	Verifies signed webhook deliveries.

Never pass an sk_* value to browser code. The browser receives only the publishable key and the session client_secret.

Node server

import { GateClient } from '@0bit/gate';

const gate = new GateClient({
  apiKey: process.env.OBIT_GATE_SECRET_KEY!,
  baseUrl: 'https://gate-api-sandbox.0bit.app',
  timeoutMs: 30_000,
  maxRetries: 2,
});

export async function createCheckoutSession(order: {
  id: string;
  amount: string;
  currency: string;
}) {
  return gate.sessions.create(
    {
      amount: order.amount,
      currency: order.currency,
      return_url: `https://partner.example/orders/${order.id}/complete`,
      metadata: { order_id: order.id },
    },
    {
      idempotencyKey: `order:${order.id}:gate-session`,
    },
  );
}

The Node client maps session calls to:

Method	Endpoint
`gate.sessions.create(params, options?)`	`POST /v1/gate_sessions`
`gate.sessions.retrieve(id, options?)`	`GET /v1/gate_sessions/{id}`
`gate.sessions.cancel(id, options?)`	`POST /v1/gate_sessions/{id}/cancel`

Browser embed

import { GateRamp } from '@0bit/gate/browser';

const ramp = new GateRamp({
  publishableKey: import.meta.env.VITE_OBIT_GATE_PUBLISHABLE_KEY,
  clientSecret,
  environment: 'sandbox',
});

await ramp.mount('#gate-container', {
  onSuccess: ({ sessionId }) => {
    // UX only. Wait for the signed webhook before fulfillment.
    window.location.assign(`/checkout/pending?session=${encodeURIComponent(sessionId)}`);
  },
  onError: ({ code }) => {
    console.error('0Gate widget error', code);
  },
});

The browser SDK resolves sandbox to https://gate-api-sandbox.0bit.app and https://gate-sandbox.0bit.app. Use explicit apiBaseUrl and iframeUrl only for local development or a reviewed environment override.

React

import { RampCheckout } from '@0bit/gate/react';

export function CheckoutPanel({ clientSecret }: { clientSecret: string }) {
  return (
    <RampCheckout
      publishableKey={import.meta.env.VITE_OBIT_GATE_PUBLISHABLE_KEY}
      clientSecret={clientSecret}
      environment="sandbox"
      onSuccess={({ sessionId }) => {
        window.location.href = `/checkout/pending?session=${encodeURIComponent(sessionId)}`;
      }}
    />
  );
}

Use React callbacks for UI transitions only. Fulfillment, ledger updates, account crediting, and support-visible state changes should wait for signed backend events.

Python

from zerobit.gate import GateClient

gate = GateClient(
    api_key=os.environ["OBIT_GATE_SECRET_KEY"],
    base_url="https://gate-api-sandbox.0bit.app",
)

session = gate.sessions.create({
    "amount": "100.00",
    "currency": "EUR",
    "return_url": "https://partner.example/checkout/done",
})

The Python package name and import path come from the SDK README. Keep Python examples pinned to the package version your environment actually installs.

Webhook verification

import express from 'express';
import { GateClient, WebhookSignatureError } from '@0bit/gate';

const app = express();
const gate = new GateClient({ apiKey: process.env.OBIT_GATE_SECRET_KEY! });

app.post('/webhooks/0gate', express.raw({ type: 'application/json' }), (req, res) => {
  try {
    const event = gate.webhooks.constructEvent(
      req.body,
      req.headers['gate-signature'],
      process.env.OBIT_GATE_WEBHOOK_SECRET!,
    );

    if (event.type === 'gate_session.completed') {
      // Persist event.id and fulfill idempotently.
    }

    res.sendStatus(200);
  } catch (error) {
    if (error instanceof WebhookSignatureError) {
      return res.sendStatus(400);
    }
    return res.sendStatus(500);
  }
});

Verification requires the raw request body, the Gate-Signature header, and a whsec_* webhook secret. The SDK default tolerance is 300 seconds.

Tested evidence

The SDK tests were run from 0Bit_apps/Gate/Gate_Sdk after installing dependencies:

Command	Result
`npm test`	82 tests passed across Node, browser, and React suites.

This proves the checked-in SDK test suite passes locally. It does not prove that the package is published to npm/PyPI, that every example has been run against a live sandbox account, or that legal/compliance approval is complete.

Release checklist

Confirm the published npm package version matches package.json.
Confirm the Node runtime SDK version string is updated or intentionally documented.
Regenerate the API reference from the reviewed OpenAPI file.
Run SDK tests and at least one sandbox flow before publishing new snippets.
Keep 0Pools, 0Base, 0Link, KYC/KYB, and regional availability wording behind product/legal/compliance review.

SDKs and libraries

On this page