diff --git a/mintlify/api-reference/sandbox-testing.mdx b/mintlify/api-reference/sandbox-testing.mdx
index 9313ecd8..d73d723b 100644
--- a/mintlify/api-reference/sandbox-testing.mdx
+++ b/mintlify/api-reference/sandbox-testing.mdx
@@ -11,6 +11,7 @@ import SandboxTransferPatterns from '/snippets/sandbox-transfer-patterns.mdx';
import SandboxQuotePatterns from '/snippets/sandbox-quote-patterns.mdx';
import SandboxUmaAddresses from '/snippets/sandbox-uma-addresses.mdx';
import SandboxKybVerification from '/snippets/sandbox-kyb-verification.mdx';
+import SandboxGlobalAccountMagic from '/snippets/sandbox-global-account-magic.mdx';
The Grid sandbox environment simulates real payment flows without moving real money. You can control test outcomes using special account number patterns and test addresses.
@@ -97,3 +98,7 @@ curl -X POST https://api.lightspark.com/grid/2025-10-13/sandbox/uma/receive \
"receivingCurrencyAmount": 5000
}'
```
+
+## Global Account magic values
+
+
diff --git a/mintlify/global-p2p/platform-tools/sandbox-testing.mdx b/mintlify/global-p2p/platform-tools/sandbox-testing.mdx
index ef159f09..ae1a6967 100644
--- a/mintlify/global-p2p/platform-tools/sandbox-testing.mdx
+++ b/mintlify/global-p2p/platform-tools/sandbox-testing.mdx
@@ -3,6 +3,9 @@ title: "Sandbox Testing"
icon: "/images/icons/hammer.svg"
"og:image": "/images/og/og-global-p2p.png"
---
+
+import SandboxGlobalAccountMagic from '/snippets/sandbox-global-account-magic.mdx';
+
The Grid sandbox environment allows you to test your integration without making real payments. When you set up your account, you can configure production and sandbox API tokens. The sandbox token is specifically for testing and development purposes.
It corresponds to a separate platform instance in "sandbox" mode, which can only transact with the sandbox UMA addresses for testing.
@@ -224,6 +227,10 @@ curl -X GET "https://api.lightspark.com/grid/2025-10-13/receiver/\$non.existent.
Each of these will trigger appropriate error webhooks and status updates to help you test your error handling.
+## Global Account magic values
+
+
+
## Production vs Sandbox
Here are the key differences between production and sandbox environments:
diff --git a/mintlify/payouts-and-b2b/platform-tools/sandbox-testing.mdx b/mintlify/payouts-and-b2b/platform-tools/sandbox-testing.mdx
index 3e415f27..eb5cdd4c 100644
--- a/mintlify/payouts-and-b2b/platform-tools/sandbox-testing.mdx
+++ b/mintlify/payouts-and-b2b/platform-tools/sandbox-testing.mdx
@@ -9,6 +9,7 @@ import SandboxBeneficiaryVerification from '/snippets/sandbox-beneficiary-verifi
import SandboxExternalAccounts from '/snippets/sandbox-external-accounts.mdx';
import SandboxTransferPatterns from '/snippets/sandbox-transfer-patterns.mdx';
import SandboxQuotePatterns from '/snippets/sandbox-quote-patterns.mdx';
+import SandboxGlobalAccountMagic from '/snippets/sandbox-global-account-magic.mdx';
## Overview
@@ -249,6 +250,10 @@ GET /transactions/{transactionId}
# Wait 30s, check again - will show FAILED
```
+## Global Account magic values
+
+
+
## Sandbox Limitations
While sandbox closely mimics production, there are some differences:
diff --git a/mintlify/ramps/platform-tools/sandbox-testing.mdx b/mintlify/ramps/platform-tools/sandbox-testing.mdx
index 16fff472..1a878952 100644
--- a/mintlify/ramps/platform-tools/sandbox-testing.mdx
+++ b/mintlify/ramps/platform-tools/sandbox-testing.mdx
@@ -8,6 +8,7 @@ icon: "/images/icons/hammer.svg"
import SandboxBeneficiaryVerification from '/snippets/sandbox-beneficiary-verification.mdx';
import SandboxExternalAccounts from '/snippets/sandbox-external-accounts.mdx';
import SandboxTransferPatterns from '/snippets/sandbox-transfer-patterns.mdx';
+import SandboxGlobalAccountMagic from '/snippets/sandbox-global-account-magic.mdx';
The Grid Sandbox environment provides a complete testing environment for ramp operations, allowing you to validate on-ramp and off-ramp flows without using real money or cryptocurrency.
@@ -371,6 +372,10 @@ curl -X POST 'https://api.lightspark.com/grid/2025-10-13/customers/external-acco
# Response: 400 Bad Request with validation error
```
+## Global Account magic values
+
+
+
## Moving to Production
When you're ready to move to production:
diff --git a/mintlify/rewards/platform-tools/sandbox-testing.mdx b/mintlify/rewards/platform-tools/sandbox-testing.mdx
index d8013819..b83f588d 100644
--- a/mintlify/rewards/platform-tools/sandbox-testing.mdx
+++ b/mintlify/rewards/platform-tools/sandbox-testing.mdx
@@ -5,6 +5,8 @@ icon: "/images/icons/hammer.svg"
"og:image": "/images/og/og-rewards.png"
---
+import SandboxGlobalAccountMagic from '/snippets/sandbox-global-account-magic.mdx';
+
## Overview
The Grid sandbox environment allows you to test your rewards integration without moving real money or cryptocurrency. All API endpoints work the same way in sandbox as they do in production, but transactions are simulated and you can control test scenarios using special test values.
@@ -322,6 +324,10 @@ curl -X POST "https://api.lightspark.com/grid/2025-10-13/quotes" \
# Wait 30s, check again - will show FAILED
```
+## Global Account magic values
+
+
+
## Sandbox Limitations
While sandbox closely mimics production, there are some differences:
diff --git a/mintlify/snippets/sandbox-global-account-magic.mdx b/mintlify/snippets/sandbox-global-account-magic.mdx
new file mode 100644
index 00000000..e014e2a5
--- /dev/null
+++ b/mintlify/snippets/sandbox-global-account-magic.mdx
@@ -0,0 +1,86 @@
+The Grid sandbox accepts a small set of magic values that bypass real auth and credential checks for Global Account flows, so you can exercise the full request shape without standing up Turnkey, WebAuthn, or an OIDC provider. These values are sandbox-only — production enforces real signature verification, WebAuthn assertion, and OIDC nonce binding.
+
+A wrong magic value (or any other value) returns `401 UNAUTHORIZED` with a `reason` field that names the specific check that failed.
+
+### Email OTP code
+
+Pass `000000` as the body `otp` on `POST /auth/credentials/{id}/verify` when the credential type is `EMAIL_OTP`. The sandbox skips OTP delivery and accepts this value as a valid response to the issued challenge.
+
+```bash
+curl -X POST https://api.lightspark.com/grid/2025-10-13/auth/credentials/AuthMethod:abc123/verify \
+ -u "$GRID_CLIENT_ID:$GRID_CLIENT_SECRET" \
+ -H "Content-Type: application/json" \
+ -H "Request-Id: 7c4a8d09-ca37-4e3e-9e0d-8c2b3e9a1f21" \
+ -d '{
+ "type": "EMAIL_OTP",
+ "otp": "000000",
+ "clientPublicKey": "04f45f2a..."
+ }'
+```
+
+Any other code returns `401 UNAUTHORIZED` with `reason: "Invalid OTP code"`.
+
+### Passkey assertion signature
+
+Pass `sandbox-valid-passkey-signature` as `assertion.signature` on `POST /auth/credentials/{id}/verify` when the credential type is `PASSKEY`. The sandbox accepts the rest of the assertion as-is and skips the WebAuthn signature check.
+
+```bash
+curl -X POST https://api.lightspark.com/grid/2025-10-13/auth/credentials/AuthMethod:abc123/verify \
+ -u "$GRID_CLIENT_ID:$GRID_CLIENT_SECRET" \
+ -H "Content-Type: application/json" \
+ -H "Request-Id: 7c4a8d09-ca37-4e3e-9e0d-8c2b3e9a1f21" \
+ -d '{
+ "type": "PASSKEY",
+ "assertion": {
+ "credentialId": "...",
+ "clientDataJson": "...",
+ "authenticatorData": "...",
+ "signature": "sandbox-valid-passkey-signature"
+ },
+ "clientPublicKey": "04f45f2a..."
+ }'
+```
+
+Any other signature returns `401 UNAUTHORIZED` with `reason: "Invalid passkey signature"`. `clientPublicKey` is still required — the magic value bypasses the credential check, not the HPKE plumbing that seals the session signing key to the public key you supply.
+
+### OAuth (OIDC) token
+
+Pass `sandbox-valid-oidc-token` as the body `oidcToken` on both `POST /auth/credentials` (OAUTH create) and `POST /auth/credentials/{id}/verify` (OAUTH).
+
+```bash
+curl -X POST https://api.lightspark.com/grid/2025-10-13/auth/credentials/AuthMethod:abc123/verify \
+ -u "$GRID_CLIENT_ID:$GRID_CLIENT_SECRET" \
+ -H "Content-Type: application/json" \
+ -H "Request-Id: 7c4a8d09-ca37-4e3e-9e0d-8c2b3e9a1f21" \
+ -d '{
+ "type": "OAUTH",
+ "oidcToken": "sandbox-valid-oidc-token",
+ "clientPublicKey": "04f45f2a..."
+ }'
+```
+
+Any other token returns `401 UNAUTHORIZED` with `reason: "Invalid OIDC token"`.
+
+
+ **OAUTH create still requires a JWT-shaped token.** On the initial `POST /auth/credentials` (OAUTH create), the `oidcToken` must be a structurally valid JWT (`header.payload.signature`) so Grid can decode the `iss` claim and resolve the provider name. The literal `sandbox-valid-oidc-token` works on `verify` but not on `create` — for `create`, sign your own dummy JWT with any payload that includes a recognized `iss` claim. The sandbox bypasses signature verification, not JWT structure parsing.
+
+
+### Wallet signature header
+
+Pass `sandbox-valid-signature` as the `Grid-Wallet-Signature` HTTP header on any signed-retry flow:
+
+- `POST /auth/credentials` (add-additional-credential signed retry)
+- `DELETE /auth/credentials/{id}` (revoke credential)
+- `DELETE /auth/sessions/{id}` (revoke session)
+- `POST /internal-accounts/{id}/export` (export wallet)
+- `POST /quotes/{quoteId}/execute` (when source is an embedded wallet)
+
+```bash
+curl -X POST https://api.lightspark.com/grid/2025-10-13/quotes/Quote:abc123/execute \
+ -u "$GRID_CLIENT_ID:$GRID_CLIENT_SECRET" \
+ -H "Content-Type: application/json" \
+ -H "Idempotency-Key: 7c4a8d09-ca37-4e3e-9e0d-8c2b3e9a1f21" \
+ -H "Grid-Wallet-Signature: sandbox-valid-signature"
+```
+
+Any other header value returns `401 UNAUTHORIZED` with `reason: "Invalid Grid-Wallet-Signature"`.