Skip to main content
The card network can’t reach into Sandbox to send real authorizations, so Sandbox exposes three simulate helpers that drive the same internal authorize and reconcile paths the issuer would call in production. Production returns 404 on these paths.
Outcomes are deterministic — driven by magic-value suffixes on the relevant id. The same approach is used by /sandbox/internal-accounts/{id}/fund.

Issuance suffixes (platformCardId)

The last three characters of platformCardId (or cardholderId when platformCardId is omitted) control how POST /cards resolves:

Funding-source suffixes (accountId)

Binding a funding source resolves based on the last three characters of accountId:

Authorization simulate

Outcomes are controlled by the last three characters of merchant.descriptor: The response is the resulting CardTransaction.

Clearing simulate

  • amount > authorizedAmount exercises the over-auth post-hoc pull path (restaurant tip / tip-on-top).
  • amount = 0 exercises AUTHORIZATION_EXPIRY — the auth expires with no clearing posted.
Suffix-driven outcomes on the parent transaction’s id govern whether the post-hoc pull succeeds — use them with the merchant descriptor suffixes above to construct deterministic exception scenarios.

Return simulate

A full refund flips the parent to REFUNDED; a partial refund keeps it SETTLED with a non-zero refundedAmount.

End-to-end happy path

A simple Sandbox loop that exercises issue → activate → auth → clear → refund:
At each step you’ll see CARD.STATE_CHANGE or CARD.FUNDING_SOURCE_CHANGE webhooks plus transaction webhooks for the simulated authorization, clearing, and return — wire those into your local webhook handler to validate end-to-end.