Sandbox Environment
Overview
The Inflow sandbox is a fully isolated test environment designed to mirror production as closely as possible. Use it to build, validate, and iterate on your integration without ever processing real transactions or moving real money.
The sandbox shares the same API surface, event model, and webhook delivery system as production. Every feature you test in sandbox behaves identically in production — there are no behavioral differences, no stub endpoints, and no simplified responses. Once your integration works in sandbox, it works in production.
NoteThe sandbox is intended for integration testing only. It is not suitable for load testing or performance benchmarking. See Limitations for details.
Requesting Sandbox Access
Sandbox accounts are not created self-serve. To get access, contact the Inflow technical team and request a sandbox account for your organization.
How it works:
- Reach out to the Inflow team and request sandbox access.
- The Inflow team creates a sandbox merchant account and sends you an invitation email.
- Follow the link in the email to activate your sandbox account and set a password.
- Log in to the sandbox dashboard using the URL provided in your invitation.
NoteThe sandbox dashboard is accessible at a different URL than production. This URL is included in your invitation email. Bookmark it separately to avoid confusion.
Key generation in sandbox follows the exact same steps as in production — there is no separate process.
Sandbox vs Production
| Feature | Sandbox | Production |
|---|---|---|
| Real charges | No — all transactions are simulated | Yes — real money is processed |
| API surface | Identical to production | Full API |
| Webhooks | Fully functional | Fully functional |
| API keys | Isolated test keys | Isolated live keys |
| Dashboard | Separate URL | https://dashboard.inflowpay.com |
| Data isolation | Completely isolated from production | Completely isolated from sandbox |
| Rate limiting | Stricter limits apply | Standard production limits |
| Load testing | Not supported | Not applicable |
| Checkout URL | sandbox.checkout.inflowpay.com | checkout.inflowpay.com |
| Purpose | Development & QA | Live merchant operations |
WarningSandbox and production environments are fully isolated. API keys, customers, payments, subscriptions, and webhook configurations created in one environment are never visible in the other. Always verify which environment you are targeting before making API calls.
API Endpoints
Use the correct base URL for each environment. Mixing environments (e.g., using a sandbox key with a production URL) will result in a 401 Unauthorized error.
REST API
| Environment | Base URL |
|---|---|
| Production | https://api.inflowpay.xyz |
| Sandbox | https://sandbox.api.inflowpay.xyz |
Dashboard
| Environment | URL |
|---|---|
| Production | https://dashboard.inflowpay.com |
| Sandbox | Provided in your invitation email |
Checkout
| Environment | URL pattern |
|---|---|
| Production | https://checkout.inflowpay.com/pay/{paymentId} |
| Sandbox — one-time payment | https://sandbox.checkout.inflowpay.com/pay/{paymentId} |
| Sandbox — subscription offer | https://sandbox.checkout.inflowpay.com/subscribe/{offerId} |
Example sandbox checkout URL:
https://sandbox.checkout.inflowpay.com/subscribe/sub_offer_xxx
NoteThe
{offerId}in a subscription checkout URL (e.g.,sub_offer_xxx) is generated when you create an offer in the sandbox dashboard or via the API. It is unique to each environment — sandbox offer IDs are not valid in production.
SDK
If you use @inflow_pay/sdk to collect card payments, you must be on version 1.2.0 or later to target the sandbox. Starting with 1.2.0, the SDK automatically routes to https://sandbox.api.inflowpay.xyz when the public key passed to InflowPayProvider contains _sandbox_ (e.g. inflow_pub_sandbox_...). Older versions will fail with 401 Unauthorized when given a sandbox key.
npm install @inflow_pay/sdk@^1.2.0API Keys
Each environment has its own set of API keys. Sandbox keys are generated from the sandbox dashboard and are completely independent from your production keys.
Key Types
| Key Type | Header | Sandbox prefix | Production prefix |
|---|---|---|---|
| Private Key | X-Inflow-Api-Key | inflow_sandbox_ | inflow_prod_ |
| Public Key | X-Inflow-Public-Key | inflow_pub_sandbox_ | inflow_pub_prod_ |
How to Generate Sandbox Keys
- Log in to your sandbox dashboard.
- Go to the Developers panel.
- Generate your sandbox private and public API keys.
- Copy the keys and store the private key securely.
WarningNever use sandbox keys in a production environment, and never use production keys in sandbox. Beyond being a security risk, mismatched keys will cause
401errors and pollute your live data. Store each environment's keys in separate environment variables (e.g.,INFLOW_API_KEY_SANDBOXvsINFLOW_API_KEY_PROD).
Security Best Practices for Keys
- Store all keys — sandbox and production — in environment variables, never hardcoded in source files.
- Do not commit keys to version control, even sandbox keys.
- Grant access to sandbox keys only to team members who need them for development.
- Rotate keys immediately if they are accidentally exposed.
No Real Charges
In the sandbox environment, no payment is ever processed and no money is ever moved. All transaction flows — authorizations, captures, refunds, failures — are fully simulated.
This means you can:
- Trigger successful payments, declines, and partial refunds freely.
- Create and cancel subscriptions without financial consequence.
- Simulate every payment status (
authorized,settled,failed,refunded) to test your error handling and UI states. - Run your entire QA suite against real API responses without any billing risk.
NoteEven though no money moves, the sandbox API returns realistic payment objects with real-looking IDs, amounts, and timestamps. Your integration code does not need to behave differently in sandbox — it can treat sandbox responses as structurally identical to production responses.
Webhook Behavior
Webhooks in sandbox are fully operational and behave identically to production.
| Behavior | Sandbox | Production |
|---|---|---|
| Event types fired | payment_created, payment_status_updated | Same |
| Payload structure | Identical to production | — |
| Delivery engine | Svix (same as production) | Svix |
| Retry logic | Exponential backoff, up to 10 attempts | Same |
| Signature verification | Required (same whsec_ secret format) | Required |
| HTTPS required | Yes | Yes |
Register a dedicated sandbox webhook endpoint for your local or staging server. Tools such as ngrok or Hookdeck are useful for exposing a local development server to receive webhook deliveries during testing.
Registering a sandbox webhook:
curl -X POST https://sandbox.api.inflowpay.xyz/api/webhook \
-H "X-Inflow-Api-Key: inflow_priv_your_sandbox_key" \
-H "Content-Type: application/json" \
-d '{
"url": "https://your-staging-server.example.com/webhooks/inflow"
}'
WarningAlways verify webhook signatures, even in sandbox. Skipping signature verification in your test environment is a common source of bugs that only surface in production. Test your verification logic early.
For full webhook setup instructions, refer to Setting Up Webhooks.
Limitations
The sandbox is a full-fidelity environment for integration testing, but it has the following known constraints:
| Limitation | Detail |
|---|---|
| Rate limiting | Stricter than production. Sandbox enforces lower request-per-second thresholds. |
| No load testing | Do not use sandbox to benchmark throughput or simulate high-concurrency traffic. Use a dedicated load-testing plan or contact the Inflow team. |
| Data retention | Sandbox data may be periodically reset or purged. Do not rely on sandbox records as a long-term data store. |
| No real card processing | Card data submitted in sandbox is not forwarded to any payment network. |
| No real payouts | Balance and payout flows are simulated and do not trigger real bank transfers. |
WarningDo not run load tests against the sandbox. Sustained high-volume traffic will exhaust your rate limit quota and may result in temporary API access suspension for your sandbox account. If you need to validate performance characteristics, contact the Inflow team.
Best Practices
Follow these guidelines to get the most out of your sandbox testing:
- Mirror your production setup exactly. Use the same API call sequences, the same webhook registration flow, and the same error handling logic. The sandbox is only useful if it represents your real integration.
- Test all payment outcomes. Validate your UI and backend logic for every status: successful payment, card decline, insufficient funds, 3DS authentication required, and refund. Do not only test the happy path.
- Test webhook failure and retry. Temporarily return a non-2xx status from your endpoint to confirm your system handles delayed webhook delivery correctly.
- Verify webhook signatures. Ensure your signature verification code works end-to-end in sandbox before going live.
- Use realistic test data. Use accurate email formats, realistic amounts, and valid currency codes. Garbage inputs may return validation errors that mask real integration issues.
- Automate your test suite. Write automated integration tests that run against sandbox. This gives you fast feedback when you change your integration code.
- Keep sandbox and production credentials separate. Use distinct environment variable names (e.g.,
INFLOW_API_KEYfor production,INFLOW_API_KEY_SANDBOXfor sandbox) and never mix them. - Clean up after tests. Cancel test subscriptions and webhooks you no longer need to keep your sandbox account tidy.
Updated about 14 hours ago