Skip to content

Sandbox and OpenAPI

What qualified teams receive after sandbox review: approved OpenAPI artifacts, sample data, webhook replay, SDK expectations, and launch-gate evidence.

GuideUpdated June 3, 2026
GuideUpdated June 3, 2026

Public guide vs sandbox

Mozaca exposes representative API shapes publicly so engineering teams can evaluate the operating model early.

Approved OpenAPI documents, sandbox credentials, SDK access, and test data are issued through controlled access once product, jurisdiction, rail, and compliance scope are aligned.

The sandbox packet, not the public guide, is the integration source of truth for a qualified environment: schemas, event behavior, seed data, webhook secrets, and launch gates.

Sandbox packet

A qualified sandbox review should include enough material for an engineering team to build without guessing at state transitions or event behavior.

ArtifactPurposeStatus
OpenAPI specEndpoint, schema, auth, and error contractIssued during review
Postman or Bruno collectionFast endpoint explorationIssued during review
Webhook signing secretSignature verification and replay testsIssued during review
Seed dataWallets, accounts, approvals, rails, and eventsIssued during review
SDKsTyped helpers for auth, retries, and webhooksPlanned access tier

Test data

Sandbox data should model the states that break real launches: pending funding, failed rail submission, compliance holds, duplicate idempotency keys, webhook retry, reconciliation exceptions, and reversed transfers.

  • Use test phone numbers and rail references only.
  • Never upload production identity documents into sandbox unless the agreement explicitly allows it.
  • Keep test webhooks pointed at infrastructure your team owns.

Promotion to pilot

Sandbox completion feeds the pilot approval path: operating entity, rail approval, compliance model, support path, monitoring, and evidence exports.

Related docs