Fonlok
Sandbox environment

Build on Fonlok.
Test without limits.

The Fonlok sandbox gives you a full-fidelity, isolated API environment to test every payment flow before going live. No real money moves. No production data is touched.

Open API explorerGet an API key
Sandbox only. This environment does not process real payments. No real MTN or Orange Money transactions will be initiated.

How the sandbox works

Everything you need to know before writing your first API call.

Isolated from production

Sandbox invoices, payments, and transactions are stored in dedicated tables that are completely separate from live data. Your production database is never touched.

Deterministic test flows

Payments stay pending until you explicitly confirm or fail them. This lets you test success paths, failure paths, and timeout scenarios independently and repeatably.

Full API fidelity

The sandbox uses the same request and response shapes as the production API. Code you write against the sandbox requires no changes to run in production — just swap the key.

Authenticated with scoped keys

Each sandbox key (sk_test_*) is tied to your account and can be revoked independently. Keys are stored as SHA-256 hashes — the full value is shown once and never stored again.

Predictable rate limits

The sandbox allows 60 requests per minute per API key — well above what a human or a CI pipeline needs, but low enough to protect shared infrastructure from runaway scripts.

Error responses match production

Validation errors, 404s, and rate limit responses use exactly the same shape in the sandbox and in production. Your error-handling code works identically in both environments.

Authentication

All sandbox requests are authenticated with a Bearer token. Pass your sandbox key in the Authorization header on every request.

HTTP header
Authorization: Bearer sk_test_a1b2c3d4...

Key format

sk_test_ + 32 hex chars (40 chars total)

Key storage

SHA-256 hash only — never stored in plain text

Key scope

Sandbox-only, per-user, independently revocable

Rate limit

60 requests / minute per key

Quick start

Run a complete payment lifecycle in under five minutes.

  1. 01

    Create a sandbox key

    Scroll down to the "API keys" section, sign in if prompted, and click "Generate key". Give it a descriptive label so you can identify it later.

  2. 02

    Ping the sandbox

    Paste your key into the explorer below and run GET /sandbox/ping. A 200 response with status: "ok" confirms your key is valid and the sandbox is reachable.

  3. 03

    Create a test invoice

    Call POST /sandbox/invoices with a title, amount, and seller email. Note the invoice id (inv_test_...) returned — you'll need it in the next step.

  4. 04

    Simulate a payment

    Call POST /sandbox/payments/initiate with the invoice id and a Cameroonian phone number (237XXXXXXXXX). This returns a reference.

  5. 05

    Confirm or fail the payment

    Call POST /sandbox/payments/{reference}/confirm to simulate a successful payment, or /fail to simulate a declined prompt. The linked invoice status updates automatically.

API reference

Select an endpoint, fill in the parameters, and send a live request directly from this page.

Sandbox
Sandbox key
GET/sandbox/ping

Verifies that the sandbox is reachable and your API key is valid. Use this as a first step to confirm your integration is set up correctly.

curl -X GET \
  "https://fonlok-backend-production.up.railway.app/sandbox/ping" \
  -H "Authorization: Bearer sk_test_your_key_here"
Response
Click “Send request” to see the response here.
The example below shows a sample response.

Sample response

{
  "object": "sandbox_status",
  "status": "ok",
  "environment": "sandbox",
  "key_label": "Local development",
  "message": "The Fonlok sandbox is live. No real transactions will be processed.",
  "timestamp": "2026-06-30T12:00:00.000Z",
  "_sandbox": true
}

API keys

Sandbox keys are prefixed with sk_test_ and only work against the sandbox. They carry no access to live transactions, real payouts, or production user data.

Sign in to create and manage your sandbox API keys.

Sign inCreate account

Common questions

Does the sandbox share a database with production?

No. The sandbox uses dedicated tables (sandbox_invoices, sandbox_transactions, sandbox_api_keys) that are entirely separate from production tables. A bug in your sandbox integration cannot affect real users or live payments.

Are sandbox API keys valid in production?

No. Keys prefixed with sk_test_ are rejected by all production routes. You will need a separate live key (not yet publicly available) to process real payments.

Do sandbox transactions expire or get cleaned up?

Sandbox data is retained until your key is revoked. When you revoke a key, all invoices and transactions associated with it are automatically deleted via a database cascade.

Is there a webhook I can test against?

Webhook simulation is not yet available in the public sandbox. You can simulate all payment state changes (confirm, fail) using the direct sandbox endpoints. Webhook support is on the roadmap.

Can I use the sandbox in my CI/CD pipeline?

Yes. Create a key labelled for your pipeline (e.g. "GitHub Actions") and store it as a secret in your CI environment. The sandbox rate limit of 60 requests per minute is well above what a typical test suite needs.

How do I report a bug in the sandbox API?

Reach us at support@fonlok.com with the subject line "Sandbox API issue". Include the endpoint, your request body, and the response you received.