Skip to content

docs: document Global Account sandbox magic values #405

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
pengying merged 3 commits into from
Apr 28, 2026
Merged

docs: document Global Account sandbox magic values #405

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
9920049
docs: document Global Account sandbox magic values
pengying Apr 28, 2026
500045d
docs: include Global Account sandbox magic values on api-reference page
pengying Apr 28, 2026
b1c65d6
docs: restructure Global Account magic values by auth flow
pengying Apr 28, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions mintlify/api-reference/sandbox-testing.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ import SandboxTransferPatterns from '/snippets/sandbox-transfer-patterns.mdx';
import SandboxQuotePatterns from '/snippets/sandbox-quote-patterns.mdx';
import SandboxUmaAddresses from '/snippets/sandbox-uma-addresses.mdx';
import SandboxKybVerification from '/snippets/sandbox-kyb-verification.mdx';
import SandboxGlobalAccountMagic from '/snippets/sandbox-global-account-magic.mdx';

The Grid sandbox environment simulates real payment flows without moving real money. You can control test outcomes using special account number patterns and test addresses.

Expand Down Expand Up @@ -97,3 +98,7 @@ curl -X POST https://api.lightspark.com/grid/2025-10-13/sandbox/uma/receive \
"receivingCurrencyAmount": 5000
}'
```

## Global Account magic values

<SandboxGlobalAccountMagic />
7 changes: 7 additions & 0 deletions mintlify/global-p2p/platform-tools/sandbox-testing.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,9 @@ title: "Sandbox Testing"
icon: "/images/icons/hammer.svg"
"og:image": "/images/og/og-global-p2p.png"
---

import SandboxGlobalAccountMagic from '/snippets/sandbox-global-account-magic.mdx';

The Grid sandbox environment allows you to test your integration without making real payments. When you set up your account, you can configure production and sandbox API tokens. The sandbox token is specifically for testing and development purposes.
It corresponds to a separate platform instance in "sandbox" mode, which can only transact with the sandbox UMA addresses for testing.

Expand Down Expand Up @@ -224,6 +227,10 @@ curl -X GET "https://api.lightspark.com/grid/2025-10-13/receiver/\$non.existent.

Each of these will trigger appropriate error webhooks and status updates to help you test your error handling.

## Global Account magic values

<SandboxGlobalAccountMagic />

## Production vs Sandbox

Here are the key differences between production and sandbox environments:
Expand Down
5 changes: 5 additions & 0 deletions mintlify/payouts-and-b2b/platform-tools/sandbox-testing.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ import SandboxBeneficiaryVerification from '/snippets/sandbox-beneficiary-verifi
import SandboxExternalAccounts from '/snippets/sandbox-external-accounts.mdx';
import SandboxTransferPatterns from '/snippets/sandbox-transfer-patterns.mdx';
import SandboxQuotePatterns from '/snippets/sandbox-quote-patterns.mdx';
import SandboxGlobalAccountMagic from '/snippets/sandbox-global-account-magic.mdx';

## Overview

Expand Down Expand Up @@ -249,6 +250,10 @@ GET /transactions/{transactionId}
# Wait 30s, check again - will show FAILED
```

## Global Account magic values

<SandboxGlobalAccountMagic />

## Sandbox Limitations

While sandbox closely mimics production, there are some differences:
Expand Down
5 changes: 5 additions & 0 deletions mintlify/ramps/platform-tools/sandbox-testing.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ icon: "/images/icons/hammer.svg"
import SandboxBeneficiaryVerification from '/snippets/sandbox-beneficiary-verification.mdx';
import SandboxExternalAccounts from '/snippets/sandbox-external-accounts.mdx';
import SandboxTransferPatterns from '/snippets/sandbox-transfer-patterns.mdx';
import SandboxGlobalAccountMagic from '/snippets/sandbox-global-account-magic.mdx';

The Grid Sandbox environment provides a complete testing environment for ramp operations, allowing you to validate on-ramp and off-ramp flows without using real money or cryptocurrency.

Expand Down Expand Up @@ -371,6 +372,10 @@ curl -X POST 'https://api.lightspark.com/grid/2025-10-13/customers/external-acco
# Response: 400 Bad Request with validation error
```

## Global Account magic values

<SandboxGlobalAccountMagic />

## Moving to Production

When you're ready to move to production:
Expand Down
6 changes: 6 additions & 0 deletions mintlify/rewards/platform-tools/sandbox-testing.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,8 @@ icon: "/images/icons/hammer.svg"
"og:image": "/images/og/og-rewards.png"
---

import SandboxGlobalAccountMagic from '/snippets/sandbox-global-account-magic.mdx';

## Overview

The Grid sandbox environment allows you to test your rewards integration without moving real money or cryptocurrency. All API endpoints work the same way in sandbox as they do in production, but transactions are simulated and you can control test scenarios using special test values.
Expand Down Expand Up @@ -322,6 +324,10 @@ curl -X POST "https://api.lightspark.com/grid/2025-10-13/quotes" \
# Wait 30s, check again - will show FAILED
```

## Global Account magic values

<SandboxGlobalAccountMagic />

## Sandbox Limitations

While sandbox closely mimics production, there are some differences:
Expand Down
86 changes: 86 additions & 0 deletions mintlify/snippets/sandbox-global-account-magic.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,86 @@
The Grid sandbox accepts a small set of magic values that bypass real auth and credential checks for Global Account flows, so you can exercise the full request shape without standing up Turnkey, WebAuthn, or an OIDC provider. These values are sandbox-only — production enforces real signature verification, WebAuthn assertion, and OIDC nonce binding.

A wrong magic value (or any other value) returns `401 UNAUTHORIZED` with a `reason` field that names the specific check that failed.

### Email OTP code

Pass `000000` as the body `otp` on `POST /auth/credentials/{id}/verify` when the credential type is `EMAIL_OTP`. The sandbox skips OTP delivery and accepts this value as a valid response to the issued challenge.

```bash
curl -X POST https://api.lightspark.com/grid/2025-10-13/auth/credentials/AuthMethod:abc123/verify \
-u "$GRID_CLIENT_ID:$GRID_CLIENT_SECRET" \
-H "Content-Type: application/json" \
-H "Request-Id: 7c4a8d09-ca37-4e3e-9e0d-8c2b3e9a1f21" \
-d '{
"type": "EMAIL_OTP",
"otp": "000000",
"clientPublicKey": "04f45f2a..."
}'
```

Any other code returns `401 UNAUTHORIZED` with `reason: "Invalid OTP code"`.

### Passkey assertion signature

Pass `sandbox-valid-passkey-signature` as `assertion.signature` on `POST /auth/credentials/{id}/verify` when the credential type is `PASSKEY`. The sandbox accepts the rest of the assertion as-is and skips the WebAuthn signature check.

```bash
curl -X POST https://api.lightspark.com/grid/2025-10-13/auth/credentials/AuthMethod:abc123/verify \
-u "$GRID_CLIENT_ID:$GRID_CLIENT_SECRET" \
-H "Content-Type: application/json" \
-H "Request-Id: 7c4a8d09-ca37-4e3e-9e0d-8c2b3e9a1f21" \
-d '{
"type": "PASSKEY",
"assertion": {
"credentialId": "...",
"clientDataJson": "...",
"authenticatorData": "...",
"signature": "sandbox-valid-passkey-signature"
},
"clientPublicKey": "04f45f2a..."
}'
```

Any other signature returns `401 UNAUTHORIZED` with `reason: "Invalid passkey signature"`. `clientPublicKey` is still required — the magic value bypasses the credential check, not the HPKE plumbing that seals the session signing key to the public key you supply.

### OAuth (OIDC) token

Pass `sandbox-valid-oidc-token` as the body `oidcToken` on both `POST /auth/credentials` (OAUTH create) and `POST /auth/credentials/{id}/verify` (OAUTH).
Copy link
Copy Markdown
Contributor

@greptile-apps greptile-apps Bot Apr 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Contradictory claim about OAUTH create magic value

The opening sentence says sandbox-valid-oidc-token works on both POST /auth/credentials (OAUTH create) and verify, but the Note immediately below corrects this and states it does not work for create — a properly structured JWT is required there. A developer reading the first sentence and using the magic value for the create call will get a 401 UNAUTHORIZED without any obvious reason until they read the Note carefully.

Consider updating the opening sentence to be accurate upfront, for example:

Suggested change
Pass `sandbox-valid-oidc-token` as the body `oidcToken` on both `POST /auth/credentials` (OAUTH create) and `POST /auth/credentials/{id}/verify` (OAUTH).
Pass `sandbox-valid-oidc-token` as the body `oidcToken` on `POST /auth/credentials/{id}/verify` (OAUTH). For `POST /auth/credentials` (OAUTH create), you must supply a JWT-shaped token — see the note below.
Prompt To Fix With AI 
This is a comment left during a code review.
Path: mintlify/snippets/sandbox-global-account-magic.mdx
Line: 48

Comment:
**Contradictory claim about OAUTH create magic value**

The opening sentence says `sandbox-valid-oidc-token` works on **both** `POST /auth/credentials` (OAUTH create) and verify, but the Note immediately below corrects this and states it does **not** work for create — a properly structured JWT is required there. A developer reading the first sentence and using the magic value for the create call will get a `401 UNAUTHORIZED` without any obvious reason until they read the Note carefully.

Consider updating the opening sentence to be accurate upfront, for example:
```suggestion
Pass `sandbox-valid-oidc-token` as the body `oidcToken` on `POST /auth/credentials/{id}/verify` (OAUTH). For `POST /auth/credentials` (OAUTH create), you must supply a JWT-shaped token — see the note below.
```

How can I resolve this? If you propose a fix, please make it concise.

Fix in Claude Code


```bash
curl -X POST https://api.lightspark.com/grid/2025-10-13/auth/credentials/AuthMethod:abc123/verify \
-u "$GRID_CLIENT_ID:$GRID_CLIENT_SECRET" \
-H "Content-Type: application/json" \
-H "Request-Id: 7c4a8d09-ca37-4e3e-9e0d-8c2b3e9a1f21" \
-d '{
"type": "OAUTH",
"oidcToken": "sandbox-valid-oidc-token",
"clientPublicKey": "04f45f2a..."
}'
```
Comment on lines +50 to +60
Copy link
Copy Markdown
Contributor

@greptile-apps greptile-apps Bot Apr 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Missing curl example for OAUTH create flow

The section states the magic value applies to both POST /auth/credentials (OAUTH create) and verify, but only provides a curl example for the verify endpoint. Given that the Note flags a meaningful gotcha for the create path (requiring a JWT-shaped token), a companion example showing how to construct the dummy JWT for create would substantially help developers avoid confusion.

Prompt To Fix With AI 
This is a comment left during a code review.
Path: mintlify/snippets/sandbox-global-account-magic.mdx
Line: 50-60

Comment:
**Missing curl example for OAUTH create flow**

The section states the magic value applies to both `POST /auth/credentials` (OAUTH create) and verify, but only provides a curl example for the verify endpoint. Given that the Note flags a meaningful gotcha for the create path (requiring a JWT-shaped token), a companion example showing how to construct the dummy JWT for create would substantially help developers avoid confusion.

How can I resolve this? If you propose a fix, please make it concise.

Fix in Claude Code


Any other token returns `401 UNAUTHORIZED` with `reason: "Invalid OIDC token"`.

<Note>
**OAUTH create still requires a JWT-shaped token.** On the initial `POST /auth/credentials` (OAUTH create), the `oidcToken` must be a structurally valid JWT (`header.payload.signature`) so Grid can decode the `iss` claim and resolve the provider name. The literal `sandbox-valid-oidc-token` works on `verify` but not on `create` — for `create`, sign your own dummy JWT with any payload that includes a recognized `iss` claim. The sandbox bypasses signature verification, not JWT structure parsing.
</Note>

### Wallet signature header

Pass `sandbox-valid-signature` as the `Grid-Wallet-Signature` HTTP header on any signed-retry flow:

- `POST /auth/credentials` (add-additional-credential signed retry)
- `DELETE /auth/credentials/{id}` (revoke credential)
- `DELETE /auth/sessions/{id}` (revoke session)
- `POST /internal-accounts/{id}/export` (export wallet)
- `POST /quotes/{quoteId}/execute` (when source is an embedded wallet)

```bash
curl -X POST https://api.lightspark.com/grid/2025-10-13/quotes/Quote:abc123/execute \
-u "$GRID_CLIENT_ID:$GRID_CLIENT_SECRET" \
-H "Content-Type: application/json" \
-H "Idempotency-Key: 7c4a8d09-ca37-4e3e-9e0d-8c2b3e9a1f21" \
-H "Grid-Wallet-Signature: sandbox-valid-signature"
```

Any other header value returns `401 UNAUTHORIZED` with `reason: "Invalid Grid-Wallet-Signature"`.
Loading