Guides

Sandbox Environment

Sandbox Environment

The Green Dot BaaS Sandbox environment is a non‑production environment used for development, integration, and functional testing. It allows partners to safely validate authentication, API behavior, request and response formats, and encryption handling without impacting real customers, accounts, or funds.

The Sandbox should be used during initial integration and ongoing testing prior to Production access.

Purpose of the Sandbox

The Sandbox environment exists to help partners:

  • Validate end‑to‑end API integrations safely
  • Test OAuth authentication and authorization behavior
  • Confirm request and response formats
  • Implement and verify encryption and decryption logic
  • Exercise common API flows using test data
  • Explore expected error conditions and failure scenarios

The Sandbox mirrors Production behavior as closely as possible at the API and protocol level, while isolating all activity from live systems.

What the Sandbox Is Not

The Sandbox environment:

  • Does not process real money
  • Does not create real customer accounts, cards, or payment instruments
  • Uses simulated or test data only
  • Is not intended for load, performance, or stress testing

All data created in Sandbox is strictly for testing purposes and should not be treated as persistent or permanent.

Sandbox vs Production Separation

Sandbox and Production environments are fully isolated:

  • Separate base URLs
  • Separate client credentials
  • Separate IP allow‑listing requirements
  • No shared data or identifiers

Access tokens, credentials, or identifiers from Sandbox cannot be reused in Production, and vice versa.

Access Requirements

Before accessing the Sandbox environment, partners must complete the following:

  1. Complete partner onboarding
  2. Receive Sandbox‑specific Client ID and Client Secret
  3. Submit Sandbox IP address ranges for allow‑listing
  4. Receive confirmation that allow‑listing is complete

API access will not be granted until IP allow‑listing has been approved, even if credentials have been issued.

Authentication Behavior

Authentication behavior in Sandbox matches Production behavior.

  • OAuth 2.0 client‑credentials flow is used
  • Access tokens are required for all API requests
  • Tokens are time‑limited and must be refreshed upon expiration

Implementation details are described in BaaS API Authentication. Sandbox does not introduce alternative authentication mechanisms or shortcuts.

Encryption Expectations in Sandbox

Field‑level encryption requirements in Sandbox are the same as in Production.

Important expectations:

  • Encryption is required for all fields marked as encrypted in the API reference
  • Plain‑text requests will fail for encrypted fields
  • Encrypted response fields must be decrypted by the partner
  • Encryption and decryption logic should be fully validated in Sandbox

Before testing encrypted endpoints, public encryption keys must be exchanged between Green Dot and the partner. Full technical details are available in Encryption in BaaS API.

Data Behavior and Persistence

Sandbox data behavior is intended for testing only and may differ from Production in the following ways:

  • Data may be reset, reused, or modified
  • Identifiers should not be assumed permanent
  • Test data may be synthetic or simulated
  • Persistence is not guaranteed

Integrations should be designed to handle data resets gracefully.

Supported Testing Activities

Sandbox is well suited for:

  • Functional integration testing
  • Verifying business logic and state transitions
  • Implementing encryption and decryption workflows
  • Validating error handling and edge cases

Sandbox is not designed to reflect Production scale, volume, or operational performance.

Promoting to Production

Before requesting or using Production access, partners should ensure they have:

  • Successfully authenticated and exercised required APIs in Sandbox
  • Implemented encryption and decryption where required
  • Validated error handling paths
  • Confirmed readiness for Production security and compliance requirements

Production access requires separate credentials and IP allow‑listing approval.

Summary

  • Sandbox is a safe, non‑production environment for integration testing
  • Behavior closely mirrors Production at the API level
  • No real customers or funds are involved
  • Separate credentials and IP allow‑listing are required
  • Encryption requirements apply in Sandbox as they do in Production
  • Sandbox should be used to validate integrations before Production use

Updated about 9 hours ago