Environments

Production — https://api.paymnt.cloud
Sandbox — https://sandbox.paymnt.cloud

Use Sandbox for building, testing, and QA. Switch to Production for real transactions without changing your integration surface.

Environment separation

Data isolation. Objects created in Sandbox are not visible in Production, and vice versa.
API keys. Generate separate secret keys per environment. Never reuse a Production key in Sandbox.
Profiles & routing. Profiles (x-profile-id) are environment-scoped; configure routing independently per env.
Connectors & credentials. Configure connector credentials separately for each environment.

Avoid real PII in Sandbox wherever possible. Use test data and anonymized payloads.

Authentication headers

Send your secret key on the server only:

api-key: <YOUR_SECRET_KEY>
x-profile-id: <pro_...>   # optional, when profiles are enabled

Details: Authentication • RBAC & Keys

Pick the base URL

During development:

Base URL: https://sandbox.paymnt.cloud

When you go live:

Base URL: https://api.paymnt.cloud

We strongly recommend environment variables:

# .env
PAYMNT_BASE_URL=https://sandbox.paymnt.cloud
PAYMNT_API_KEY=sk_sandbox_...

# on production deploy:
# PAYMNT_BASE_URL=https://api.paymnt.cloud
# PAYMNT_API_KEY=sk_live_...

Node (fetch) example:

const base = process.env.PAYMNT_BASE_URL;   // sandbox or prod
const res = await fetch(`${base}/customers`, {
  headers: { "Accept": "application/json", "api-key": process.env.PAYMNT_API_KEY }
});
const data = await res.json();
console.log(data);

Webhooks & events (managed — no self-hosted required)

Paymnt Cloud provides a managed event stream and delivery in our cloud. You don’t need to run your own webhook server. How it works (per environment):

In the Dashboard, enable event subscriptions for Sandbox or Production
Choose which event types you want to receive (e.g., payment lifecycle)
Consume events via our managed delivery or via the Events API (pull), depending on your integration preference

Consumption options:

Managed delivery (hosted by Paymnt Cloud). Events are delivered from our cloud; signature verification and retries are handled by the platform
Events API (pull). Programmatically fetch and acknowledge events from the environment’s stream
Optional external destination. If you still want to receive events at your own URL, you can add external endpoints; signing and retry/backoff apply the same way

Learn more: Webhooks — Overview • Event Types • Signing & Retries Tip: keep your business logic idempotent; use event ids to deduplicate processing.

Testing resources

Sandbox guide — flows, test scenarios, configuration tips
Test cards & 3DS — PANs, SCA outcomes, challenge flows

Rate limits and resilience

Both environments enforce rate limits (e.g., HTTP 429 on exceed). Implement:

Idempotency for POST/PUT/PATCH (Idempotency)
Exponential backoff + jitter for transient failures (Retries & Backoff)
Error handling with request_id logging (Error Codes)

Getting Started

Essentials

Guides — Payments

Guides — Customers

Guides — Refunds

Guides — Disputes

Routing & Connectors

Webhooks & Events

SDKs & Tools

Sandbox & Testing

Security & Compliance

Operations

Support & FAQ

Environment separation

Authentication headers

Pick the base URL

Webhooks & events (managed — no self-hosted required)

Testing resources

Rate limits and resilience

Getting Started

Essentials

Guides — Payments

Guides — Customers

Guides — Refunds

Guides — Disputes

Routing & Connectors

Webhooks & Events

SDKs & Tools

Sandbox & Testing

Security & Compliance

Operations

Support & FAQ

​Environment separation

​Authentication headers

​Pick the base URL

​Webhooks & events (managed — no self-hosted required)

​Testing resources

​Rate limits and resilience

Environment separation

Authentication headers

Pick the base URL

Webhooks & events (managed — no self-hosted required)

Testing resources

Rate limits and resilience