KYC/KYB verification
In sandbox, you can trigger specific KYC/KYB verification outcomes using magic suffixes in customer and beneficial owner fields. These let you test different verification flows without waiting for real review.Business customer verification
The last 3 digits of theregistrationNumber in businessInfo determine the KYB status outcome when you call POST /verifications:
Beneficial owner KYC
The last 3 characters of thelastName in personalInfo determine the individual KYC status outcome:
Adding external accounts
The flows for creating external accounts in sandbox are the same as in production. The last 3 digits of an external account’s primary identifier (account number, IBAN, CLABE, Spark wallet address, etc.) determine the test scenario when that account is used in transfers or quotes. For identifiers with a domain part (e.g. PIX email keys), append the test digits to the username portion — for example,testuser.002@pix.com.br.
Beneficiary name verification
For account types that support beneficiary name verification, you can simulate different verification outcomes in sandbox. Use account identifiers with a1xx suffix to trigger verification scenarios (this range is reserved for verification and does not conflict with transfer or quote test patterns):
Transfer in
In production, internal accounts are funded by sending a bank transfer to the account’s payment instructions or by pulling from an external account. In sandbox, you have two options:Transfer in from an external account
Use the/transfer-in endpoint to pull funds from an external account into an internal account. The external account’s number suffix determines the outcome:
Sandbox fund endpoint
Instantly add funds to any internal account using/sandbox/internal-accounts/{accountId}/fund:
Creating quotes (cross-currency transfers)
When creating a quote with an external account destination, the account number suffix determines the payment outcome after quote execution:Executing a quote
After creating a quote, you need to fund it to trigger execution. There are two ways to do this in sandbox: Prefunded internal account — If your quote’s source is an internal account, fund the account using one of the methods described in transfer in, then call the quote execute endpoint to trigger the transaction:/sandbox/send to simulate this payment:
Transferring out funds
Use the/transfer-out endpoint to push funds from an internal account to an external account in the same currency. The external account’s number suffix controls the outcome using the same patterns as transfer in.
Sending to a UMA address
For UMA-based payments, use these sandbox addresses to simulate different scenarios:Simulating incoming UMA payments
Use the sandbox receive endpoint to simulate an incoming UMA payment to one of your platform’s users:Global Account magic values
The Grid sandbox accepts a small set of magic values for Global Account flows, so you can exercise the full request shape without standing up Turnkey, WebAuthn, or an OIDC provider. OTP, passkey, and wallet signatures use fixed sandbox-only values. OAuth uses JWT-shaped sandbox OIDC tokens: sandbox skips real IdP signature verification, but still validates the token claims, freshness, credential identity, and verify-time nonce binding. A wrong magic value or sandbox OIDC authentication failure returns401 UNAUTHORIZED with a reason field that names the specific check that failed. A malformed OIDC JWT can return 400 INVALID_INPUT before authentication starts.
Email OTP code
Pass000000 as the body otp on POST /auth/credentials/{id}/verify when the credential type is EMAIL_OTP. The sandbox skips OTP delivery and accepts this value as a valid response to the issued challenge.
401 UNAUTHORIZED with reason: "Invalid OTP code".
Passkey assertion signature
Passsandbox-valid-passkey-signature as assertion.signature on POST /auth/credentials/{id}/verify when the credential type is PASSKEY. The sandbox accepts the rest of the assertion as-is and skips the WebAuthn signature check.
Passkey reauthentication is a two-step /challenge → /verify flow. The clientPublicKey is sent on /challenge (so Grid can seal the session signing key to your device) — the magic value bypasses the credential check, not the HPKE plumbing, so the public key is still required.
401 UNAUTHORIZED with reason: "Invalid passkey signature".
OAuth (OIDC) token
OAuth does not use a fixed magic token in sandbox. Pass a JWT-shaped OIDC token asoidcToken. The JWT signature segment can be a dummy value, but the payload must look like a real ID token.
For POST /auth/credentials with type: "OAUTH", the sandbox token must include:
iss: a supported issuer, such ashttps://accounts.google.com,accounts.google.com, orhttps://appleid.apple.comaud: a non-empty string, or a single-element string arraysub: a non-empty subject identifier for the useriat: a numeric issued-at timestamp no more than 60 seconds before the request, with 5 seconds of clock skew allowedexp: a numeric expiration timestamp later than the request time
iss, aud, and sub. On POST /auth/credentials/{id}/verify, the fresh oidcToken must carry the same iss, aud, and sub as the credential being verified. It must also include nonce equal to sha256(clientPublicKey), where clientPublicKey is the exact hex public key sent in the verify request.
The old literal
sandbox-valid-oidc-token is no longer accepted. Use a freshly generated sandbox JWT for both OAuth credential registration and OAuth verification. Production requires a real ID token from your provider and verifies the provider signature.Wallet signature header
Passsandbox-valid-signature as the Grid-Wallet-Signature HTTP header on any signed-retry flow:
POST /auth/credentials(add-additional-credential signed retry)DELETE /auth/credentials/{id}(revoke credential)DELETE /auth/sessions/{id}(revoke session)POST /internal-accounts/{id}/export(export wallet)PATCH /internal-accounts/{id}(update wallet privacy)POST /quotes/{quoteId}/execute(when source is an embedded wallet)
401 UNAUTHORIZED with reason: "Invalid Grid-Wallet-Signature".