Production and Sandbox Testing
Production practices
- Keep
clientSecretin backend-only secret storage. - Never expose credentials in frontend code.
- Use HTTPS only.
- Verify webhook signatures using raw body.
- Make webhook handlers idempotent.
- Rotate API credentials on schedule.
- Refresh expired payment tokens using
sessionTokenProvider.
Sandbox test cards
Use for sandbox testing only.
Important notes:
- If CVV is required and not specified, use any random CVV.
- AMEX CVV is 4 digits.
- Expiry date can be any future date for regular sandbox tests.
- Use invalid/expired dates only for failure testing scenarios.
| Brand/Type | Number | Expiry (example) | CVV | Country/Currency | Expected Result |
|---|---|---|---|---|---|
| Amex | 374245455400126 | 05/2026 | (any) | - | Success |
| Amex | 378282246310005 | 05/2026 | (any) | - | Failure |
| China UnionPay | 6250941006528599 | 06/2026 | (any) | CN / USD | Success |
| Discover | 6011000991300009 | 12/2026 | (any) | US / USD | Success |
| JCB | 3566000020000410 | 02/2026 | 123 | JP / JPY | Success |
| JCB | 3530111333300000 | 03/2026 | (any) | JP / JPY | Failure |
| Mastercard | 5425233430109903 | 04/2026 | (any) | - | Success |
| Mastercard | 2223000048410010 | 09/2026 | (any) | - | Success |
| Visa | 4263982640269299 | 02/2026 | 837 | - | Success |
| Visa Debit Card | 4701322211111234 | 12/2026 | 837 | - | Success |
| Visa Debit Card | 4347699988887777 | 01/2026 | 555 | - | Failure |
Last updated on