List 0Gate sessions
GET /gate_sessions - Cursor-paginated session list for the authenticated partner.
0Gate is the primary public integration path for hosted payment, ramp, and swap experiences. Keep secret-key operations on your server and hand only browser-safe values to the widget.
Page through the sessions your partner owns, newest first. Use it for dashboards, reconciliation sweeps, and support lookups. The raw client_secret is never returned in a list.
Endpoint
| Field | Value |
|---|---|
| Method | GET |
| Path | /v1/gate_sessions |
| Area | Sessions |
| Operation id | listSessions |
| Auth boundary | Secret key from your server. |
The full request URL is https://gate-api.0bit.app/v1/gate_sessions.
Use it for
Cursor-paginated session list for the authenticated partner.
Use this endpoint only for the partner-scoped resource it describes. Store your own reference id, the returned 0Bit object id, the request id, timestamps, and the current status so support and reconciliation do not depend on browser callbacks alone.
Production rules
- Keep secret keys on your server. This endpoint requires a
sk_*key. - Page with the cursor; do not assume unbounded list reads.
- The list returns only sessions your partner owns — there is no cross-tenant read.
- Branch on machine-readable status, error code, object id, and request id.
- Treat examples and placeholder ids as fake data only.
Request
All parameters are query-string; there is no request body.
| Parameter | In | Required | Type | Use it for |
|---|---|---|---|---|
limit | query | No | integer | Page size, 1–100, default 10. |
starting_after | query | No | string | Cursor — the id of the last item from the previous page. Returns items after it. |
status | query | No | string | Filter by lifecycle state: open, completed, expired, or cancelled. |
| Header | Required | Use it for |
|---|---|---|
Authorization | Yes | Bearer sk_test_… or Bearer sk_live_…. |
Response
Returns HTTP 200 with a ListEnvelope whose data is an array of GateSession objects (each without client_secret), newest first.
| Field | Type | Use it for |
|---|---|---|
object | string | Always list. |
data | array of GateSession | The page of sessions, newest first. Each item omits client_secret. |
has_more | boolean | true when more pages exist. Fetch the next page with starting_after. |
url | string | The list path that produced this envelope. |
Paginate
Request a page, and while has_more is true, repeat with starting_after set to the id of the last item in data.
Examples
curl 'https://gate-api.0bit.app/v1/gate_sessions?limit=10&status=open' \
-H "Authorization: Bearer sk_test_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"Fetch the next page by appending &starting_after=<last-id>.
{
"object": "list",
"data": [
{
"id": "67a1f3b9e4b0c10001234567",
"object": "gate_session",
"partner_id": "507f1f77bcf86cd799439011",
"mode": "test",
"amount": "100.00",
"currency": "EUR",
"return_url": "https://partner.example/checkout/done",
"cancel_url": null,
"status": "open",
"expires_at": "2026-05-27T12:00:00.000Z",
"created_at": "2026-05-26T12:00:00.000Z",
"flow": null,
"target_token": null,
"target_network": null,
"wallet_address": null,
"user_reference": "order_abc123",
"kyc_pre_verified": false,
"metadata": {}
}
],
"has_more": false,
"url": "/v1/gate_sessions"
}No client_secret appears in a list — it is returned only on create.
Errors
All errors use the unified envelope and carry an X-Request-Id response header. Branch on code/type/statusCode, not on the free-form message.
{
"type": "unauthorized",
"code": "unauthorized",
"message": "Example unauthorized error using fake data.",
"request_id": "req_test_000000000123",
"doc_url": null,
"statusCode": 401
}| Status | type | When it happens |
|---|---|---|
401 | unauthorized | Missing or invalid secret key. |
429 | rate_limited | Request throttled. Back off and retry. |
5xx | server_error | Transient server or upstream failure. Retry with bounded backoff. |
Public boundary
This reference covers partner-scoped endpoint behavior, authentication, idempotency, webhook verification, and support-safe records. Internal operations, settlement venues, fiat-rail providers, KYC vendors, administrative routes, and unsupported availability claims are outside the public API contract.