Gish API · v2.4 · stable

Build on Gish.

REST + GraphQL APIs for wishes, group buys, outcome funds, contributions, and webhooks. OAuth 2.0 for third-party apps, API keys for first-party. Stable, versioned, and production-ready.

Base URLs
REST: https://api.gishme.com/v2/
GraphQL: https://api.gishme.com/graphql
Webhooks: events POSTed to your registered URL · signed with HMAC-SHA256

Authentication

Two methods. API keys for backend services and first-party tools. OAuth 2.0 for third-party apps acting on a user's behalf.

# API key · header
Authorization: Bearer gsk_live_a1b2c3d4...

# OAuth flow · authorize
GET https://gishme.com/oauth/authorize?
  client_id=YOUR_ID&
  redirect_uri=https://yourapp.com/cb&
  scope="wishes:read contributions:write"&
  state="random_csrf_token"

Scopes: wishes:read, wishes:write, contributions:read, contributions:write, profile:read, profile:write, webhooks:manage.

Your first call

Get the authenticated user's public profile:

curl https://api.gishme.com/v2/me \
  -H "Authorization: Bearer gsk_live_..."

# Response 200 OK
{
  "id": "usr_8a1f3b",
  "handle": "@alexgrant",
  "name": "Alex Grant",
  "verified": true,
  "plan": "plus",
  "created_at": "2024-03-12T14:22:00Z"
}

Wishes resource

GET
/v2/wishes
List authenticated user's wishes (paginated)
POST
/v2/wishes
Create a wish (also via the browser extension's capture endpoint)
GET
/v2/wishes/:id
Fetch a single wish · public if visibility=public
PUT
/v2/wishes/:id
Update visibility, price, story, pin status
DELETE
/v2/wishes/:id
Soft-delete (recoverable for 30 days)
POST
/v2/wishes/capture
Auto-extract a wish from a retailer URL · used by the browser extension

Group buys

GET
/v2/groups
List active group buys you contribute to or organize
POST
/v2/groups
Open a new group buy · auth + escrow held until goal hit
POST
/v2/groups/:id/contribute
Authorize a contribution · cards charged only on goal-met
POST
/v2/groups/:id/close
Manually close (owner only) · refunds all authorizations

Outcome funds

POST
/v2/outcomes
Open an outcome fund · payee must be verified before going live
POST
/v2/outcomes/verify-payee
Submit a payee for EIN/NPI/business verification (1-3 day process)
GET
/v2/outcomes/:id/receipts
List per-contributor PDF receipts (URL valid for 30 days)

Webhooks

Events POSTed to your registered URL. Body is JSON, signed with HMAC-SHA256 in X-Gish-Signature header.

Events: wish.created, wish.updated, group.opened, group.contribution_authorized, group.goal_met, group.charged, group.refunded, outcome.payee_verified, outcome.wired, contribution.created, profile.followed.

# Verify signature
const sig = req.headers['x-gish-signature'];
const expected = crypto
  .createHmac('sha256', WEBHOOK_SECRET)
  .update(req.rawBody)
  .digest('hex');
if (sig !== expected) throw new Error('Invalid signature');

Rate limits

Free

60 req/min

Per API key · 1k requests/day soft cap

Plus

600 req/min

Per API key · 100k requests/day · burst to 1k/min

Business

10k req/min

Custom quotas · dedicated support · 99.9% SLA

Rate-limit headers: X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset. 429 responses include a Retry-After header.

Official SDKs

JavaScript
npm i @gish/sdk
Python
pip install gish
Go
go get github.com/gish-co/sdk-go
Ruby
gem install gish

Errors

Standard HTTP status codes. JSON error body:

{
  "error": {
    "code": "payee_unverified",
    "message": "Outcome fund payee must be verified before campaign launch",
    "docs": "https://gishme.com/api-docs.html#outcomes",
    "request_id": "req_8a1f3b9c"
  }
}

Common codes: auth_required, auth_invalid, scope_missing, resource_not_found, validation_error, rate_limited, payee_unverified, goal_already_met.

Need higher limits or custom integrations?

Email api@gishme.com · we typically respond within 24 hours · happy to do custom OAuth scopes, webhook event types, or dedicated rate-limit tiers for production integrations.