Sandbox vs production
Move a 0Gate integration from sandbox testing to live mode without mixing keys, records, capabilities, or support assumptions.
Sandbox mode proves that your integration shape works. It does not prove that a live product, country, asset, method, fee, support tier, or compliance statement is approved for production. Treat production as a controlled cutover with separate keys, origins, webhooks, capabilities, and support runbooks.
Cutover model
Sandbox checklist
| Area | Pass condition |
|---|---|
| Session creation | Your server creates sessions with sk_test_* and idempotency keys. |
| Embed or redirect | Browser/mobile uses only pk_test_* and client_secret. |
| Webhook verification | Raw-body signature verification works and duplicate event ids are ignored. |
| Return pages | Success/cancel routes read backend state rather than trusting navigation. |
| Failure handling | Pending, failed, cancelled, and expired attempts are visible to users and support. |
| Logs | No secret keys, webhook secrets, raw identity payloads, bank details, or provider payloads. |
Production checklist
| Area | Requirement |
|---|---|
| Live keys | Store sk_live_*, pk_live_*, and whsec_* separately from test values. |
| Allowed origins | Register exact production origins before launch. |
| Webhook URL | Use a stable HTTPS endpoint with monitoring and alerting. |
| Capabilities | Confirm country, currency, asset, method, payout, and eligibility behavior for live mode. |
| Product copy | Use approved wording for availability, KYC/KYB, fees, spreads, support, and settlement. |
| Support | Prepare escalation with session id, event id, transaction ref, request id, and support@0bit.io. |
Do not assume
- Sandbox success means live money movement is enabled.
- Test quote values are production pricing.
- A code path means every partner or region can use it.
- A browser success callback means settlement is complete.
- Internal docs, tests, or fixtures are approved public product claims.
Go-live smoke test
- Create a live-mode session from the production backend.
- Open the hosted flow from a production allowed origin.
- Confirm webhook signature verification on the live endpoint.
- Confirm duplicate event handling.
- Confirm return and cancel pages render backend state.
- Confirm support can search by order id, 0Gate session id, event id, and request id.