Skip to main content

What the sandbox does

The Conduit sandbox cluster (https://api.sandbox.conduit.financial) mirrors production with three differences designed to make integration safe and deterministic: Sandbox is fully isolated: no real chain activity, no third-party calls. You get deterministic outcomes and synthetic artifacts that match the shape of real ones.
  1. Compliance and Travel Rule are isolated. Sandbox builds never reach upstream compliance services. Outcomes are determined locally by your request data — specifically, by the destination address suffix, fiat account-number suffix, or magic bankName value you submit.
  2. Chain broadcast is isolated. Sandbox does not sign or broadcast to any chain. Withdrawals receive a deterministic synthetic txHash shaped like a real one, but nothing is wired to a public network and the hash is not visible on any explorer.
  3. Scenario forcing via magic values. Specific address suffixes, account-number suffixes, and magic field values deterministically trigger compliance, Travel Rule, and chain outcomes. See the per-flow guides below.
Your sandbox API key is scoped to your sandbox organization and never reaches production.

Sandbox vs. production at a glance

FeatureSandboxProduction
API key formatck_sandbox_...ck_live_...
Compliance screeningIsolated; outcome from address suffix, account-number suffix, or magic bankNameReal upstream call
Travel RuleIsolated; counterparty webhook auto-fires after 10sReal VASP resolution
Wallet signingIsolated; payouts/:id/simulate/cosign only (no auto-pilot)Customer passkey via verify page
Chain broadcastSynthetic txHash; no real chainMainnet/testnet per asset config
Chain finality (custodial)POST /v2/sandbox/payouts/:id/simulate/confirmReal chain confirmation (~minutes)
Chain finality after non-custodial APPROVEDAuto-resolves within ~5s via background autopilot; no simulate/confirm neededReal chain confirmation (~minutes)
Fiat settlementPOST payouts/:id/simulate/settledReal rail settlement
Idempotency-key TTL300 seconds (5 minutes)300 seconds (5 minutes)
Webhook signaturesSame HMAC-SHA256 as productionHMAC-SHA256
Rate ingestionIsolated (stable quotes; use orders/:id/simulate/rate-lock-expired to test expiry)Live FX market
Sender-info: payload daysRemaining / deadlineAtAlways 30 days (live-equivalent)Always 30 days
Sender-info: auto-timeout~30 seconds (sandbox internal timer)30 days
KYC/KYB decisionsPOST /v2/sandbox/applications/:id/simulate/decision with body { "outcome": "approved" } or { "outcome": "rejected" }Real review pipeline
Sandbox does not auto-resolve cosign. Call POST /v2/sandbox/payouts/:id/simulate/cosign with { "outcome": "approved" } explicitly after creating a non-custodial payout, or the payout parks indefinitely at the cosign gate. Production requires a real customer signature; sandbox mirrors that requirement.
Sandbox-only conveniences (not behavior you get in production).
  1. Ops liquidity is on-demand. The ops accounts behind every payout (the crypto ops wallet for crypto, the banking-provider account for fiat) are auto-provisioned on first use. Production requires the operator to pre-seed liquidity; sandbox does not. Your first payout never hits an ops 503.
  2. POST /v2/customers/:id/wallets absorbs the provider-account provisioning race (up to about 5 second bounded poll), so you can call it immediately after enabling the CRYPTO_WALLET feature.
  3. orders/:id/simulate/rate-lock-expired cancels orders in about 3 seconds via an immediate sweep tick (not the 30-second scheduled sweep).
  4. Forced-failure reasons round-trip 1:1. transactions/:id/simulate/terminal { outcome: "failed", reason }, orders/:id/simulate/conversion-failed { reason }, and address-suffix scenarios all flow the operator-supplied text to the polled GET and to the webhook payload identically.
  5. Force-failing a payout at the cosign gate releases the cosign lock immediately; the next payout on the same wallet is accepted within milliseconds.

Where to start

New to the sandbox? Follow the Quickstart to complete your first end-to-end transaction in under 5 minutes. For detailed guides on each transaction type:
  • Deposits — fiat and crypto deposit simulation, suffix catalog, sender-information gate
  • Withdrawals — crypto and fiat withdrawal simulation, chain and cosign scenarios
  • Conversions — the FX conversion leg inside orders, rate-stale and provider-unavailable paths
  • Onramps — fiat-in to crypto-out orders, full lifecycle
  • Offramps — crypto-in to fiat-out orders, full lifecycle
Each per-flow page above covers happy paths plus the failure scenarios specific to that flow (deposit AML, withdrawal cosign, conversion failures, etc.). Copy-paste recipes live inline in those pages.

Driving scenarios

Four mechanisms cover every meaningful failure mode:
  • Crypto destination address suffix (last 8 hex chars on EVM; last 8 Base58 chars on Tron/Solana) — drives compliance and Travel Rule outcomes for crypto withdrawals. See Withdrawal failure paths and Travel Rule scenarios.
  • Fiat account-number suffix (last 8 digits of recipient.accountNumber for payouts, or senderInfo.accountNumber for source deposits) — drives settlement outcomes for fiat payouts and source-funding compliance outcomes for fiat source deposits. See Withdrawals, Deposits, and ONRAMP orders.
  • autoPayout.recipient.bankName magic value (SANDBOX_AML_REJECTED, SANDBOX_AML_SANCTIONED) — drives compliance outcomes on the fiat payout leg of OFFRAMP orders. See Offramps.
  • POST /v2/sandbox/.../simulate/* endpoints — advance asynchronous state without waiting for automatic timers: chain finality (payouts/:id/simulate/confirm), fiat settlement (payouts/:id/simulate/settled), order-level failure (orders/:id/simulate/conversion-failed), rate-lock expiry (orders/:id/simulate/rate-lock-expired), counterparty webhook overrides (payouts/:id/simulate/counterparty-webhook), and transaction-level terminal simulation (transactions/:id/simulate/terminal) for withdrawals, deposits, onramps, and offramps. Internal-transfer rows are not simulatable. Conduit-internal movements (conversion legs, ops-to-ops sweeps) settle automatically; their failure paths are still testable via the suffix protocol or armed failure knobs at create-time. See Withdrawal failure paths + chain reference.
Address/account-number suffixes set the desired terminal state at creation time; simulate-* endpoints let you inject failures or pre-empt any auto-pilot timer for fine control.

Notes

  • Suffixes are matched against the last 8 characters of the rail-canonical destination address (lowercased hex for EVM; Base58 verbatim for Tron and Solana).
  • Magic suffixes are sandbox-only. Sending the same address against the live API screens through real compliance and Travel Rule services — the suffix has no meaning there.
  • Real-customer collision probability for an 8-char hex suffix is ~1 in 4.3 billion. Don’t use magic suffixes in production address books.
  • The Sandbox tab of the OpenAPI reference enumerates every sandbox-only endpoint. Live API consumers never see them.

See also