PalGate Cloud
At a glance
Section titled “At a glance”- Product: PalGate
- Manufacturer: PAL Electronics Systems
- Similar open-source integrations:
- Home Assistant has many gate/relay integrations; use the one that matches your hardware and/or protocol.
Coordination warning
Section titled “Coordination warning”Linking a PalGate account into an OpenApp organization delegates gate control to org operators. Coordinate with the gate owner and your organization’s policies before linking a personal phone. OpenApp probes whether the linked account is a gate administrator per device and surfaces warnings in the dashboard. See PalGate permissions and Linked Device for the full policy matrix.
Getting started
Section titled “Getting started”Dashboard (recommended)
Section titled “Dashboard (recommended)”- In Integrations, create a new integration and choose provider type PalGate Cloud.
- Enable Linked Device in the PalGate app for your phone on the target gate (gate administrator). Without this, QR linking fails with Secondary device not authorized. See Linked Device.
- Follow the setup wizard: enter the PalGate device id (and optional name), then scan the QR code with the PalGate app under Linked devices → Link a device. The dashboard polls the server until linking completes and fills session token, phone number, and token type automatically. The wizard probes admin status on that device; non-admin accounts may require legal acknowledgment depending on org policy.
- If you cannot use QR linking, use Enter credentials manually in the wizard to paste values (same fields as below).
- For each gate you want in OpenApp, create a device on that integration. Set PalGate gate ID (stored as
external_id) to the PalGate device id string the API expects (for exampleDEVICEorDEVICE:2for a second output). Device metadata stores linked-account role probes and optional legal acknowledgment. From the wizard review step you can open Devices with device id/name prefilled via query params. - Trigger an OpenApp “open” action and confirm the gate opens.
Manual / API-only
Section titled “Manual / API-only”- Create an integration with provider type
palgate_cloudand set the config and secrets fields in the table below (or viaPOST /integrationswithconfig+secrets). - Continue from step 4 above.
Integration-setup API (device linking)
Section titled “Integration-setup API (device linking)”For custom clients or automation, the same linking flow the wizard uses is available over HTTP (same auth as integrations; X-Org must match the org):
POST /api/v1/integration-setup/v1/sessions— body:{ "flow": "palgate_cloud_device_link", "org_id": "<uuid>", "options": { "base_url": "..." } }(optionalbase_url). Returnssession_idand a step payload withpalgate_cloud_device_link.qr_payload(and linking metadata).POST /api/v1/integration-setup/v1/sessions/{session_id}/poll— call repeatedly (e.g. every 1–2s). Responses:awaiting_scan,succeeded(includesconfig+secretsfor the integration), orfailed. Sessions expire after a short TTL (~15 minutes).
Use the returned config and secrets on POST /integrations to create the integration.
Setup reference
Section titled “Setup reference”| Field | Type | Required | Description | Default | Example |
|---|---|---|---|---|---|
| base_url | string | optional | Base URL for the PalGate API. | https://api1.pal-es.com | https://api1.pal-es.com |
| session_token_hex
Secrets Manager
| string | required | Session token (hex) used to authenticate to PalGate Cloud. | — | 0a1b2c3d4e5f... |
| phone_number | number | required | Phone number associated with the PalGate account. | — | 15551234567 |
| token_type | string | required | Token type string: sms, primary, or secondary. | — | primary |
Integration users (users_admin)
Section titled “Integration users (users_admin)”The PalGate provider exposes the users_admin capability, which lets OpenApp
list and remove gate users directly from the PalGate device — without leaving
the dashboard. This powers the Users tab on the integration detail page.
Capability shape
Section titled “Capability shape”- Handle kind:
phone(PalGate identifies users by E.164 phone number). - Ops:
users_admin.list_users— returns the directory of phone numbers granted access to a single PalGate device. The op takes{ device_id }(the PalGate device id, not the OpenApp device row id) and is auto-invoked byGET /integrations/{id}/integration-usersonce per integration device.users_admin.remove_user— revokes a phone number from a PalGate device. Body:{ device_id, handle }wherehandleis the user’s E.164 phone.
OpenApp permissions (gate operator vs access administrator)
Section titled “OpenApp permissions (gate operator vs access administrator)”| Permission | Action |
|---|---|
integrations:read | View integration, execute gate-open ops |
integrations:users:list | GET /integrations/{id}/integration-users, Users tab |
integrations:users:write | Invite/resend/cancel in dashboard, users_admin.remove_user |
The PalGate API still requires the linked phone to be a gate administrator to list or remove users on a device. When the linked account is not admin, the Users tab shows a limited state instead of a hard error. Full reference: PalGate permissions guide.
Organization policy (palgate_policy)
Section titled “Organization policy (palgate_policy)”Org metadata key palgate_policy (default warn_and_ack when unset):
| Value | Setup | Users tab |
|---|---|---|
warn_only | Allow; show warnings | Fails to list if not PalGate admin |
warn_and_ack | Non-admin must accept acknowledgment | Limited directory when not admin |
admin_only | Block if linked account is not admin on setup device | Full users_admin when admin |
directory_limited (generic API)
Section titled “directory_limited (generic API)”GET /integrations/{id}/integration-users may include directory_limited: true
when the upstream provider did not return the full user directory (for example
the linked credentials lack provider-side admin rights). This field is
provider-agnostic — PalGate-specific linked-account role details are in
device metadata palgate_linked_account (refreshed via the
palgate.probe_linked_account integration op).
Status reconciliation
Section titled “Status reconciliation”/integrations/{id}/integration-users joins each PalGate-reported phone with
the OpenApp users table and any pending user_invitations for the same org:
status | Meaning |
|---|---|
linked | OpenApp user has a verified phone matching the gate entry — the dashboard shows a deep link. |
invited | No matching OpenApp user, but an open user_invitations row targets the same phone. |
unlinked | Neither — the gate has a directory entry that OpenApp has never invited or attached. |
Linked-account role API
Section titled “Linked-account role API”POST /integrations/{id}/ops/palgate.probe_linked_account— probe the linked account on one gate (payload.device_id= PalGate device id). Persistspalgate_linked_accountin the matching OpenApp device metadata.POST /integration-setup/v1/palgate/probe-linked-account— wizard probe before integration exists (requiresintegrations:create).
Known gaps
Section titled “Known gaps”- No email handle: PalGate’s API only models phone-based access. The
Userstab therefore hides the email column on PalGate integrations even thoughuser_invitationsitself supports both channels. - Per-device scope: PalGate users are scoped to a single device, so the Users tab aggregates per-device lists. Removing a phone from one device does not propagate to other PalGate devices in the same integration.
- No display name: PalGate does not return a display name for directory entries. Rows render with an em-dash until OpenApp can resolve the phone to an existing user.