Environments
Understand sandbox, production, endpoint, credential, and deployment configuration.
Understand sandbox, production, endpoint, credential, and deployment configuration.
Documentation boundary
Configuration pages explain how to separate environments, keys, SDK setup, webhook signing, and idempotent retry behavior. They should make integration safer without publishing internal infrastructure, secrets, or privileged operational procedures.
What this page covers
- Environments
- Environment, credential, webhook, and deployment setup
- Environment status, webhook delivery, and retry boundaries
How it fits
Configuration pages explain how to separate environments, keys, SDK setup, webhook signing, and idempotent retry behavior. They should make integration safer without publishing internal infrastructure, secrets, or privileged operational procedures.
Workflow
- Separate sandbox and live configuration in code and deployment secrets.
- Store server-only values in a secret manager and expose only browser-safe values to clients.
- Configure allowed origins, redirect URLs, and webhook endpoints for deployed domains.
- Verify webhooks against raw request bodies and handle duplicate event ids.
- Monitor API errors, webhook failures, reconciliation gaps, and unexpected status transitions.
Status and data signals
| Signal | Use it for | Do not use it for |
|---|---|---|
| Environment | Sandbox or live mode. | Mixed keys and hosts. |
| Credential type | Publishable, secret, webhook secret, or session-scoped value. | Secret in browser bundles. |
| Idempotency key | Write deduplication across retries. | New key for same logical write. |
| Webhook signature | Authenticity check. | Parsed unsigned payload. |
Implementation notes
- Start in sandbox or test mode with fake data.
- Keep server-only credentials, webhook secrets, PII, provider payloads, and internal runbooks out of public docs and browser code.
- Use documented ids, request ids, event ids, timestamps, status fields, asset symbols, and environment names for support and reconciliation.
- Treat browser callbacks as user-experience signals; use signed webhooks, API reads, scan records, or settlement reports for durable backend state.
- Confirm product access, entitlement, regional availability, and review status before presenting the workflow as live.
Related pages
Authentication
Review credential types, server boundaries, and request authentication.
Webhook signing
Review setup details before building in sandbox or live mode.
Test and go live
Use the launch checklist before switching to production credentials.
Security model
Review key handling, webhook verification, and production controls.
Example trace
A configuration issue usually shows up as a mode mismatch, missing entitlement, failed webhook verification, duplicate write, or unreachable redirect/origin. Start by confirming the host, key prefix, deployment environment, allowed origin, webhook URL, webhook secret, and idempotency key behavior. Then reproduce in sandbox with fake data before changing live configuration. Configuration docs should make those checks obvious so developers do not debug product logic when the problem is environment setup.