> ## Documentation Index
> Fetch the complete documentation index at: https://docs.lightspark.com/llms.txt
> Use this file to discover all available pages before exploring further.
# Sandbox Testing
> Test your payouts integration in the Grid sandbox environment
## Overview
The Grid sandbox environment allows you to test your payouts integration without moving real money. All API endpoints work the same way in sandbox as they do in production, but money movements are simulated and you can control test scenarios using special test values.
## Getting Started with Sandbox
### Sandbox Credentials
To use the sandbox environment:
1. Go to [app.lightspark.com](https://app.lightspark.com), create an account, and generate your sandbox API keys from the dashboard.
2. Add your sandbox API token and secret to your environment variables.
3. Use the normal production base URL: `https://api.lightspark.com/grid/2025-10-13`
4. Authenticate using your sandbox token with HTTP Basic Auth
## Simulating Money Movements
### Funding Internal Accounts
In production, internal accounts are funded by following the payment instructions (bank transfer, wire, etc.). In sandbox, you can instantly add funds to any internal account using the following endpoint:
```bash theme={null}
POST /sandbox/internal-accounts/{accountId}/fund
{
"amount": 100000 # $1,000 in cents
}
```
**Example:**
```bash theme={null}
curl -X POST https://api.lightspark.com/grid/2025-10-13/sandbox/internal-accounts/InternalAccount:abc123/fund \
-u "sandbox_token_id:sandbox_token_secret" \
-H "Content-Type: application/json" \
-d '{
"amount": 100000
}'
```
This endpoint returns the updated `InternalAccount` object with the new balance.
Alternatively, you can also fund internal accounts using the `/quotes` or `/transfer-in` endpoints as described below.
## Testing Transfer Scenarios
### Adding Test External Accounts
The flows for creating external accounts in sandbox are the same as in production. The **last 3 digits** of an external account's primary identifier (account number, IBAN, CLABE, Spark wallet address, etc.) determine the test scenario when that account is used in transfers or quotes. For identifiers with a domain part (e.g. PIX email keys), append the test digits to the username portion — for example, `testuser.002@pix.com.br`.
### Beneficiary name verification
For account types that support beneficiary name verification, you can simulate different verification outcomes in sandbox. Use account identifiers with a `1xx` suffix to trigger verification scenarios (this range is reserved for verification and does not conflict with transfer or quote test patterns):
| Suffix | `beneficiaryVerificationStatus` | Behavior |
| ------------- | ------------------------------- | -------------------------------------------------------------------- |
| **102** | `NOT_MATCHED` | Account is valid but name does not match |
| **103** | `PARTIAL_MATCH` | Account is valid, name is a fuzzy match |
| **104** | `PENDING` | Verification still in progress |
| **105** | *(error)* | Returns `400` — invalid account |
| **106** | `UNSUPPORTED` | Payment rail does not support name verification |
| **107** | `CHECKED_BY_RECEIVING_FI` | Verification deferred to receiving financial institution (e.g., ACH) |
| **Any other** | `MATCHED` | Account is valid, name matches exactly |
### Testing Transfer-In (Pull from External Account)
When you call `/transfer-in` with an external account created using test patterns, the transfer will complete instantly in sandbox with the behavior determined by the account number:
```bash theme={null}
POST /transfer-in
{
"source": {
"accountId": "ExternalAccount:abc123" // Uses test pattern from creation
},
"destination": {
"accountId": "InternalAccount:xyz789"
},
"amount": 10000 // $100 in cents
}
```
| Suffix | Behavior |
| ------------- | --------------------------------------------------------- |
| **002** | Insufficient funds — transfer fails immediately |
| **003** | Account closed/invalid — transfer fails immediately |
| **004** | Transfer rejected — bank rejects the transfer |
| **005** | Timeout/delayed failure — stays pending \~30s, then fails |
| **Any other** | Success — transfer completes normally |
### Testing Transfer-Out (Push to External Account)
Transfer-out works the same way - the destination external account's test pattern determines the outcome:
```bash theme={null}
POST /transfer-out
{
"source": {
"accountId": "InternalAccount:xyz789"
},
"destination": {
"accountId": "ExternalAccount:abc123" // Uses test pattern
},
"amount": 10000
}
```
The transfer will instantly simulate the bank transfer process and complete with the appropriate status based on the external account's test pattern.
## Testing Cross-Currency Quotes
When creating a quote with an external account destination, the account number suffix determines the payment outcome after quote execution:
| Suffix | Behavior |
| ------------- | ---------------------------------------------------------------------- |
| **002** | Quote execution failed |
| **003** | Long payment — completes after approximately 6 minutes |
| **004** | Counterparty delivery failed |
| **005** | Receiving bank returned payment (completes then transitions to failed) |
| **006** | User cancellation |
| **007** | Payout and refund failed |
| **Any other** | Successful payment |
### Creating Quotes with Test Accounts
When creating quotes with test external accounts, first create an external account with a test account pattern, then reference it in the quote:
```bash theme={null}
# Step 1: Create the external account with a test pattern
POST /customers/external-accounts
{
"customerId": "Customer:123",
"currency": "EUR",
"accountInfo": {
"accountType": "EUR_ACCOUNT",
"iban": "DE89370400440532013003",
"beneficiary": {
"beneficiaryType": "INDIVIDUAL",
"fullName": "Test User"
}
}
}
# Step 2: Create the quote using the external account ID
POST /quotes
{
"source": {
"sourceType": "ACCOUNT",
"accountId": "InternalAccount:abc123"
},
"destination": {
"destinationType": "ACCOUNT",
"accountId": "ExternalAccount:..."
},
"lockedCurrencySide": "SENDING",
"lockedCurrencyAmount": 100000
}
```
The IBAN ending in `003` triggers the slow payment test pattern.
### Executing Quotes in Sandbox
For quotes from an external account source, execute as in production via `/quotes/{quoteId}/execute`. The sandbox will:
1. Instantly process the currency conversion
2. Apply the test behavior based on any external accounts involved
3. Update transaction statuses immediately (no waiting for bank processing)
4. Trigger webhooks for state changes
For quotes with real-time funding (no source account), use the `/sandbox/send` endpoint to simulate the inbound payment. Reference the quote by ID and specify the funding currency:
```bash theme={null}
POST /sandbox/send
{
"quoteId": "Quote:019542f5-b3e7-1d02-0000-000000000006",
"currencyCode": "USD"
}
```
`currencyCode` must match the quote's funding-source currency. `currencyAmount` is optional — when omitted, the amount is derived from the quote.
## Testing Webhooks
All webhook events fire normally in sandbox. To test your webhook endpoint:
1. Configure your webhook URL in the dashboard
2. Perform actions that trigger webhooks (transfers, quote execution, etc.)
3. Receive webhook events at your endpoint
4. Verify signature using the sandbox public key
You can also manually trigger a test webhook:
```bash theme={null}
POST /sandbox/webhooks/test
{
"url": "https://your-app.com/webhooks"
}
```
## Common Testing Workflows
### Complete Payout Flow Test
Here's a complete test workflow for a USD → EUR payout:
1. **Create customer and internal accounts** (via regular API)
2. **Fund customer's USD internal account:**
```bash theme={null}
POST /sandbox/internal-accounts/InternalAccount:customer-usd/fund
{ "amount": 100000 } # $1,000
```
3. **Create a test external EUR account:**
```bash theme={null}
POST /customers/external-accounts
# Use default account number for success case
```
4. **Create and execute a quote:**
```bash theme={null}
POST /quotes
# USD internal → EUR external
POST /quotes/{quoteId}/execute
```
5. **Verify transaction status and webhooks**
### Testing Error Scenarios
Test each failure mode systematically:
```bash theme={null}
# 1. Test insufficient funds
# Create external account ending in 002
POST /customers/external-accounts { "accountNumber": "000000002" }
# Attempt transfer-in - should fail immediately
POST /transfer-in
# 2. Test account closed
# Create external account ending in 003
POST /customers/external-accounts { "accountNumber": "000000003" }
# Attempt transfer-out - should fail immediately
POST /transfer-out
# 3. Test timeout scenario
# Create external account ending in 005
POST /customers/external-accounts { "accountNumber": "000000005" }
# Attempt transfer - should pend then fail after ~30s
POST /transfer-in
# Check status immediately - will show PENDING
GET /transactions/{transactionId}
# Wait 30s, check again - will show FAILED
```
## Global Account magic values
The Grid sandbox lets you exercise Global Account auth flows without moving real money. Email OTP uses the fixed sandbox code `000000` — HPKE-encrypt that code in the `encryptedOtpBundle` just like production. Passkey auth can use the same browser WebAuthn ceremony as production, and signed wallet actions can use the same session signing key and `Grid-Wallet-Signature` stamp as production. OAuth uses JWT-shaped sandbox OIDC tokens: sandbox skips real IdP signature verification, but still validates token claims, freshness, credential identity, and verify-time nonce binding.
Sandbox runs real HPKE end-to-end for EMAIL\_OTP: clients build a real `encryptedOtpBundle` against the sandbox `otpEncryptionTargetBundle` and sign a real `verificationToken` with their TEK keypair. The only sandbox shortcut is the magic OTP code the user "receives" instead of a real email delivery.
Authentication failures return `401 UNAUTHORIZED` with a `reason` field that names the specific check that failed. A malformed OIDC JWT can return `400 INVALID_INPUT` before authentication starts.
### Email OTP code
HPKE-encrypt the code `000000` (together with your TEK public key) inside `encryptedOtpBundle`. The sandbox skips email delivery but runs real HPKE decryption and signature verification.
See Encrypt the OTP code for how to build the bundle. The flow is:
1. Call `POST /auth/credentials/{id}/challenge` to get `otpEncryptionTargetBundle`
2. Generate a TEK key pair and HPKE-encrypt `{otp_code: "000000", public_key: tekPublicKeyHex}`
3. Submit `encryptedOtpBundle` to `POST /auth/credentials/{id}/verify`
4. Receive `202` with `payloadToSign` and `requestId`
5. Sign `payloadToSign` with the TEK private key and retry with `Grid-Wallet-Signature` + `Request-Id` headers
```bash theme={null}
# First leg — returns 202 with payloadToSign
curl -X POST https://api.lightspark.com/grid/2025-10-13/auth/credentials/AuthMethod:abc123/verify \
-u "$GRID_CLIENT_ID:$GRID_CLIENT_SECRET" \
-H "Content-Type: application/json" \
-d '{
"type": "EMAIL_OTP",
"encryptedOtpBundle": "{\"encappedPublic\":\"044f631a...\",\"ciphertext\":\"1fa1023390...\"}"
}'
# Signed retry — returns 200 with AuthSession
curl -X POST https://api.lightspark.com/grid/2025-10-13/auth/credentials/AuthMethod:abc123/verify \
-u "$GRID_CLIENT_ID:$GRID_CLIENT_SECRET" \
-H "Content-Type: application/json" \
-H "Grid-Wallet-Signature: eyJwdWJsaWNLZXkiOiIwMmExYjIuLi4i..." \
-H "Request-Id: Request:7c4a8d09-ca37-4e3e-9e0d-8c2b3e9a1f21" \
-d '{
"type": "EMAIL_OTP",
"encryptedOtpBundle": "{\"encappedPublic\":\"044f631a...\",\"ciphertext\":\"1fa1023390...\"}"
}'
```
Any other code (once decrypted) returns `401 UNAUTHORIZED` with `reason: "Invalid OTP code"`.
### Passkey WebAuthn ceremony
For new sandbox integrations, use the same WebAuthn calls you plan to use in production.
Generate your own WebAuthn registration challenge and call `navigator.credentials.create()`.
Register the passkey with `POST /auth/credentials`, passing the challenge and attestation returned by the browser.
Reauthenticate with `POST /auth/credentials/{id}/challenge`, passing the P-256 `clientPublicKey` that Grid should seal the session signing key to.
Pass the returned `challenge` into `navigator.credentials.get()` using the returned `credentialId` in `allowCredentials`.
Verify with `POST /auth/credentials/{id}/verify`, passing the browser assertion and echoing `Request-Id` from the challenge response.
The sandbox validates the registered credential ID, WebAuthn challenge, origin/RP binding, user-presence bit, assertion signature, and signature counter. A successful verify response includes `encryptedSessionSigningKey`, sealed to the `clientPublicKey`, just like production.
```bash theme={null}
# 1. /challenge with clientPublicKey
curl -X POST https://api.lightspark.com/grid/2025-10-13/auth/credentials/AuthMethod:abc123/challenge \
-u "$GRID_CLIENT_ID:$GRID_CLIENT_SECRET" \
-H "Content-Type: application/json" \
-d '{
"clientPublicKey": "04f45f2a..."
}'
# 2. /verify with the browser assertion returned by navigator.credentials.get()
curl -X POST https://api.lightspark.com/grid/2025-10-13/auth/credentials/AuthMethod:abc123/verify \
-u "$GRID_CLIENT_ID:$GRID_CLIENT_SECRET" \
-H "Content-Type: application/json" \
-H "Request-Id: Request:7c4a8d09-ca37-4e3e-9e0d-8c2b3e9a1f21" \
-d '{
"type": "PASSKEY",
"assertion": {
"credentialId": "...",
"clientDataJson": "...",
"authenticatorData": "...",
"signature": "..."
}
}'
```
The legacy sandbox-only assertion signature `sandbox-valid-passkey-signature` is still accepted for compatibility, but it skips WebAuthn verification and should not be used for production-shaped sandbox tests.
### OAuth (OIDC) token
OAuth does not use a fixed magic token in sandbox. Pass a JWT-shaped OIDC token as `oidcToken`. The JWT signature segment can be a dummy value, but the payload must look like a real ID token.
For `POST /auth/credentials` with `type: "OAUTH"`, the sandbox token must include:
* `iss`: a supported issuer, such as `https://accounts.google.com`, `accounts.google.com`, or `https://appleid.apple.com`
* `aud`: a non-empty string, or a single-element string array
* `sub`: a non-empty subject identifier for the user
* `iat`: a numeric issued-at timestamp no more than 60 seconds before the request, with 5 seconds of clock skew allowed
* `exp`: a numeric expiration timestamp later than the request time
Grid stores the OAuth credential's registered identity from `iss`, `aud`, and `sub`. On `POST /auth/credentials/{id}/verify`, the fresh `oidcToken` must carry the same `iss`, `aud`, and `sub` as the credential being verified. It must also include `nonce` equal to `sha256(clientPublicKey)`, where `clientPublicKey` is the exact hex public key sent in the verify request.
```bash theme={null}
export PUBLIC_KEY="04f45f2a22c908b9ce09a7150e514afd24627c401c38a4afc164e1ea783adaaa31d4245acfb88c2ebd42b47628d63ecabf345484f0a9f665b63c54c897d5578be2"
OIDC_TOKEN=$(node - <<'NODE'
const crypto = require("crypto");
const publicKey = process.env.PUBLIC_KEY || "04f45f2a22c908b9ce09a7150e514afd24627c401c38a4afc164e1ea783adaaa31d4245acfb88c2ebd42b47628d63ecabf345484f0a9f665b63c54c897d5578be2";
const now = Math.floor(Date.now() / 1000);
const b64url = (value) =>
Buffer.from(JSON.stringify(value)).toString("base64url");
const payload = {
iss: "https://accounts.google.com",
sub: "sandbox-user-123",
aud: "grid-sandbox-oauth-client-id",
iat: now,
exp: now + 300,
nonce: crypto.createHash("sha256").update(publicKey).digest("hex"),
email: "sandbox-user-123@example.com",
email_verified: true
};
console.log(
`${b64url({ alg: "RS256", typ: "JWT" })}.${b64url(payload)}.sandbox-signature`
);
NODE
)
curl -X POST https://api.lightspark.com/grid/2025-10-13/auth/credentials/AuthMethod:abc123/verify \
-u "$GRID_CLIENT_ID:$GRID_CLIENT_SECRET" \
-H "Content-Type: application/json" \
-d '{
"type": "OAUTH",
"oidcToken": "'"$OIDC_TOKEN"'",
"clientPublicKey": "'"$PUBLIC_KEY"'"
}'
```
The old literal `sandbox-valid-oidc-token` is no longer accepted. Use a freshly generated sandbox JWT for both OAuth credential registration and OAuth verification. Production requires a real ID token from your provider and verifies the provider signature.
### Wallet signature header
For `PASSKEY` and `OAUTH` credentials, decrypt `encryptedSessionSigningKey` with the private key matching the `clientPublicKey` you supplied on verify or refresh. For `EMAIL_OTP`, the TEK private key you generated for the encrypted OTP flow **is** the session signing key — no decryption step needed. Use the session signing key to build a Turnkey API-key stamp over the exact `payloadToSign` string returned by Grid, then pass that full stamp as the `Grid-Wallet-Signature` HTTP header on signed flows:
* `POST /auth/credentials` (add-additional-credential signed retry)
* `DELETE /auth/credentials/{id}` (revoke credential)
* `DELETE /auth/sessions/{id}` (revoke session)
* `POST /internal-accounts/{id}/export` (export wallet)
* `PATCH /internal-accounts/{id}` (update wallet privacy)
* `POST /quotes/{quoteId}/execute` (when source is an embedded wallet)
This example uses the sample signer in the Grid API repo's [scripts directory](https://github.com/lightsparkdev/grid-api/tree/main/scripts). See the [scripts README](https://github.com/lightsparkdev/grid-api/blob/main/scripts/README.md) for setup, or replace `SIGN` with your own Turnkey API-key stamp implementation.
```bash theme={null}
SIGN="node $(pwd)/scripts/embedded-wallet-sign.js"
STAMP=$($SIGN stamp "$SESSION_PRIV_HEX" "$PAYLOAD_TO_SIGN")
curl -X POST https://api.lightspark.com/grid/2025-10-13/quotes/Quote:abc123/execute \
-u "$GRID_CLIENT_ID:$GRID_CLIENT_SECRET" \
-H "Content-Type: application/json" \
-H "Idempotency-Key: 7c4a8d09-ca37-4e3e-9e0d-8c2b3e9a1f21" \
-H "Grid-Wallet-Signature: $STAMP"
```
Sandbox validates that the stamp is a P-256 Turnkey API-key stamp over the exact pending Turnkey payload and that the public key belongs to an active sandbox session for the wallet.
The legacy sandbox-only `Grid-Wallet-Signature: sandbox-valid-signature` value is still accepted for compatibility. Use a real session stamp when you want the client implementation to match production.
## Sandbox Limitations
While sandbox closely mimics production, there are some differences:
* **Instant settlement**: All transfers complete immediately (success cases) or fail immediately (error cases), except timeout scenarios (005)
* **No real bank validation**: Account numbers aren't validated against real banking networks
* **Simplified KYC**: KYC processes are simulated and complete instantly. You must add customers via the `/customers` endpoint, rather than using the KYC link flow.
* **Fixed exchange rates**: Currency conversion rates may not reflect real-time market rates.
Do not try sending money to any sandbox addresses or accounts. These are not real addresses and will not receive money.
## Moving to Production
When you're ready to move to production:
1. Generate production API tokens in the dashboard
2. Swap those credentials for the sandbox credentials in your environment variables
3. Remove any sandbox-specific test patterns from your code
4. Configure production webhook endpoints
5. Test with small amounts first
## Next Steps
* Review [Webhooks](/payouts-and-b2b/platform-tools/webhooks) for event handling
* Check out the [Postman Collection](/payouts-and-b2b/platform-tools/postman-collection) for API examples
* See [Error Handling](/payouts-and-b2b/payment-flow/error-handling) for production error strategies