GiftCardsService class (accessed via client.giftCards) manages the checking and redemption of store-issued gift cards.
Methods
listGiftCards
Retrieve all gift cards held by a specific customer (gift cards are merchant-issued stored-value/loyalty instruments, not a payment method). This is used for listing a customer’s gift cards in their account dashboard.
customerId is strictly required for this endpoint to identify whose gift cards to retrieve. In addition, a customer identity must be supplied so Galactic Core can verify the requester owns those gift cards — either xAuthToken (the customer’s session token) or xExternalAuth (a bring-your-own-auth assertion); provide one, not both.Response
Customers with no gift cards get
{ "gift_cards": [] }.When listing gift cards for a customer, the resolved customer identity (
xAuthToken or xExternalAuth) must match the customerId parameter. Otherwise the request returns 403. This means a leaked publishable key alone cannot enumerate another customer’s gift cards — a customer credential is required.checkGiftCard
Retrieve the current balance and status of a gift card using its code. Because gift cards operate as bearer instruments (like cash), this endpoint deliberately does not require a customer ID.
This allows both registered users and guest checkout users to check balances.
Response
No customer auth required — the gift card code itself is the credential.
🛡️ Secure Redemption Architecture
Tybrite does not expose a standalone redemption endpoint for gift cards. This architectural decision prevents financial race conditions (double-spending) and ensures that all gift card deductions are natively tied to a unified accounting ledger and order generated during checkout. To redeem a gift card, pass the code and amount during the order creation process:Card Lifecycle
A gift card is redeemable only when all of the following hold — this is exactly what thevalid flag on checkGiftCard reflects:
- Active:
statusisactive. - Has balance:
balanceis greater than zero. - Not expired: the current date is before
expiry_date.
expiry_date passes, the card is no longer redeemable even though its status may still read active. Always rely on the valid flag rather than inferring usability from status alone.
Authentication Flow
listGiftCards requires a customer credential in addition to your API key — the session JWT from AuthenticationService passed as xAuthToken, or a bring-your-own-auth assertion passed as xExternalAuth:
customerId before any gift cards are returned.

