2 min read
Layer 1: public smoke test
Before anything else, confirm the ring is reachable and your assumptions about shapes hold — three unauthenticated calls (healthz, products, quote). This catches connectivity and CORS problems in seconds, with no credentials.
Layer 2: the sandbox project
Build partner flows against the sandbox project — its own credentials and its own bucket, fixed at the build tier — so a test run never touches live data or quotas. Verify auth, application submission, decision reads and payment provisioning end to end here.
Layer 3: failure paths
Test the unhappy paths deliberately: force a 429 to check your back-off, send an out-of-range quote to exercise your 422 handling, and replay a webhook to prove your consumer is idempotent. Gate your release on all three layers passing.
Frequently asked questions
Can I load-test against the sandbox?
Not meaningfully — sandbox is fixed at the build tier (10 req/s) for correctness, not throughput. Test logic there; test scale against live within your tier's ceiling and during a low-traffic window.
How do I test my webhook handler?
Replay a delivery (or send a duplicate) and assert your handler verifies the signature, de-duplicates on the event ID, and is a no-op on the replay. Also feed it a bad signature and assert it rejects with a 400.
Related reading

Environments and the sandbox
Partner integrations get an independent sandbox project with its own OAuth client and its own rate-limit…
Read →
Errors, status codes and safe retries
Errors come back as JSON with a stable machine code and a human message. 4xx means fix the request; 429/5xx…
Read →Funding for UK limited companies
Credicorp lends to your company, not to you personally — short-term working capital with no personal guarantee. See what your business could access.