Gale’s HSA/FSA-enabled API lets merchants create products, launch a hosted checkout, manage refunds & cancellations, register webhooks, and handle subscriptions. This page covers authentication, rate limits, error formats, and links to every public endpoint.
All requests must use HTTPS.
Add anIdempotency-Key
header to write operations to avoid duplicates.
Detailed specs live under Resources below.
Every request needs an Authorization
header:
In the Gale Dashboard open Settings → API Keys.
Copy your merchant_api_token
.
Send it on every call, e.g.
Missing or invalid tokens return:
100 requests / minute / merchant (burst to 200).
Exceeding the limit yields:
Wait the indicated seconds, then retry.
Add an Idempotency-Key
header to every state-changing POST
:
Re-using the same key within 24 h returns the original response (no duplicates).
GET
and DELETE
calls ignore this header.
HTTP Status | Meaning | Typical Cause |
---|---|---|
400 Bad Request | Malformed JSON / missing fields | Body isn’t valid JSON or a required attribute is absent |
401 Unauthorized | Missing / invalid token | Authorization header absent, expired, or malformed |
403 Forbidden | Not permitted | Token valid but merchant doesn’t own the resource |
404 Not Found | Resource absent | product_id , checkout_id , etc. does not exist |
409 Conflict | Invalid state change | e.g. cancelling a checkout already PAID |
422 Unprocessable Entity | Validation failed | Field has wrong type / value |
429 Too Many Requests | Rate-limit hit | Too many calls in a short burst |
500 Internal Server Error | Unexpected server issue | Something went wrong on Gale’s side – retry after a few minutes |
Create, list, update, delete, and check HSA/FSA eligibility for every item.
Create hosted checkouts, fetch status, refund, or cancel a session.
Receive real-time events for checkout status and product-eligibility changes.
Create recurring-billing plans and attach one or many to your products.
Next step: choose a resource above to dive into its endpoints.