Documentation Index
Fetch the complete documentation index at: https://ramps-sync-country-coverage-2026-05-29.mintlify.app/llms.txt
Use this file to discover all available pages before exploring further.
The Grid sandbox environment allows you to test your integration without making real payments. When you set up your account, you can configure production and sandbox API tokens. The sandbox token is specifically for testing and development purposes.
It corresponds to a separate platform instance in “sandbox” mode, which can only transact with the sandbox UMA addresses for testing.
Overview
The sandbox environment provides:
- A dedicated sandbox platform for testing
- Test UMA addresses for simulating payments
- Endpoints to simulate sending and receiving payments
- All the same webhooks and flows as production, but with simulated funds
Test UMA Addresses
The sandbox provides several test UMA addresses you can use to simulate different scenarios:
| UMA Address | Description |
|---|
$success.usd@sandbox.uma.money | Always succeeds, sends USD |
$success.eur@sandbox.uma.money | Always succeeds, sends EUR |
$success.mxn@sandbox.uma.money | Always succeeds, sends MXN |
$pending.long.usd@sandbox.uma.money | Simulates a long-pending payment |
$fail.compliance.usd@sandbox.uma.money | Simulates compliance check failure |
Testing Outgoing Payments
To test sending payments from your platform, follow these steps:
- Look up a sandbox UMA address:
curl -X GET "https://api.lightspark.com/grid/2025-10-13/receiver/uma/\$success.usd@sandbox.uma.money" \
-u "$GRID_CLIENT_ID:$GRID_CLIENT_SECRET"
- Create a quote as normal:
curl -X POST "https://api.lightspark.com/grid/2025-10-13/quotes" \
-u "$GRID_CLIENT_ID:$GRID_CLIENT_SECRET" \
-H "Content-Type: application/json" \
-d '{
"lookupId": "Lookup:019542f5-b3e7-1d02-0000-000000000009",
"source": {
"sourceType": "REALTIME_FUNDING",
"currency": "MXN"
},
"destination": {
"destinationType": "UMA_ADDRESS",
"umaAddress": "$success.usd@sandbox.uma.money"
},
"lockedCurrencySide": "SENDING",
"lockedCurrencyAmount": 10000
}'
- Instead of making a real bank transfer, use the sandbox send endpoint with the quote ID:
curl -X POST "https://api.lightspark.com/grid/2025-10-13/sandbox/send" \
-u "$GRID_CLIENT_ID:$GRID_CLIENT_SECRET" \
-H "Content-Type: application/json" \
-d '{
"quoteId": "Quote:019542f5-b3e7-1d02-0000-000000000006",
"currencyCode": "USD"
}'
Testing Incoming Payments
To test receiving payments to your platform’s users, use the sandbox receive endpoint:
curl -X POST "https://api.lightspark.com/grid/2025-10-13/sandbox/uma/receive" \
-u "$GRID_CLIENT_ID:$GRID_CLIENT_SECRET" \
-H "Content-Type: application/json" \
-d '{
"senderUmaAddress": "$success.usd@sandbox.uma.money",
"receiverUmaAddress": "$your.user@your.domain",
"receivingCurrencyCode": "USD",
"receivingCurrencyAmount": 5000
}'
- You’ll receive an
INCOMING_PAYMENT webhook with status: "PENDING"
- Your platform should approve/reject the payment
- On approval, you’ll receive another webhook with
status: "COMPLETED"
Example Testing Flow
Here’s a complete example of testing both directions of payments:
- First, register a test customer:
curl -X POST "https://api.lightspark.com/grid/2025-10-13/customers" \
-u "$GRID_CLIENT_ID:$GRID_CLIENT_SECRET" \
-H "Content-Type: application/json" \
-d '{
"platformCustomerId": "test_123",
"customerType": "INDIVIDUAL",
"fullName": "Test User",
"birthDate": "1990-01-01",
"nationality": "US",
"address": {
"line1": "123 Test St",
"city": "Testville",
"state": "TS",
"postalCode": "12345",
"country": "US"
}
}'
umaAddress, which you can use as the receiverUmaAddress below.
- Test receiving a payment:
curl -X POST "https://api.lightspark.com/grid/2025-10-13/sandbox/uma/receive" \
-u "$GRID_CLIENT_ID:$GRID_CLIENT_SECRET" \
-H "Content-Type: application/json" \
-d '{
"senderUmaAddress": "$success.usd@sandbox.uma.money",
"receiverUmaAddress": "$test.user@your.domain",
"receivingCurrencyCode": "USD",
"receivingCurrencyAmount": 5000
}'
- Test sending a payment:
# 1. Look up recipient
curl -X GET "https://api.lightspark.com/grid/2025-10-13/receiver/uma/\$success.usd@sandbox.uma.money" \
-u "$GRID_CLIENT_ID:$GRID_CLIENT_SECRET"
# 2. Create quote
curl -X POST "https://api.lightspark.com/grid/2025-10-13/quotes" \
-u "$GRID_CLIENT_ID:$GRID_CLIENT_SECRET" \
-H "Content-Type: application/json" \
-d '{
"lookupId": "Lookup:019542f5-b3e7-1d02-0000-000000000009",
"source": {
"sourceType": "REALTIME_FUNDING",
"currency": "MXN"
},
"destination": {
"destinationType": "UMA_ADDRESS",
"umaAddress": "$success.usd@sandbox.uma.money"
},
"lockedCurrencySide": "SENDING",
"lockedCurrencyAmount": 10000
}'
# 3. Simulate sending payment
curl -X POST "https://api.lightspark.com/grid/2025-10-13/sandbox/send" \
-u "$GRID_CLIENT_ID:$GRID_CLIENT_SECRET" \
-H "Content-Type: application/json" \
-d '{
"quoteId": "Quote:019542f5-b3e7-1d02-0000-000000000006",
"currencyCode": "USD"
}'
Testing Error Scenarios
You can test various error scenarios using the special sandbox UMA addresses:
- Test compliance failures:
curl -X GET "https://api.lightspark.com/grid/2025-10-13/receiver/uma/\$fail.compliance.usd@sandbox.uma.money" \
-u "$GRID_CLIENT_ID:$GRID_CLIENT_SECRET"
# ... create quote and attempt payment
- Test long-pending payments:
curl -X GET "https://api.lightspark.com/grid/2025-10-13/receiver/uma/\$pending.long.usd@sandbox.uma.money" \
-u "$GRID_CLIENT_ID:$GRID_CLIENT_SECRET"
# ... create quote and attempt payment
- Non-existent UMA address:
curl -X GET "https://api.lightspark.com/grid/2025-10-13/receiver/uma/\$non.existent.usd@sandbox.uma.money" \
-u "$GRID_CLIENT_ID:$GRID_CLIENT_SECRET"
# ... should return 404 Not Found
Global Account magic values
The Grid sandbox accepts a small set of magic values for Global Account flows, so you can exercise the full request shape without standing up Turnkey, WebAuthn, or an OIDC provider. OTP, passkey, and wallet signatures use fixed sandbox-only values. OAuth uses JWT-shaped sandbox OIDC tokens: sandbox skips real IdP signature verification, but still validates the token claims, freshness, credential identity, and verify-time nonce binding.
A wrong magic value or sandbox OIDC authentication failure returns 401 UNAUTHORIZED with a reason field that names the specific check that failed. A malformed OIDC JWT can return 400 INVALID_INPUT before authentication starts.
Email OTP code
Pass 000000 as the body otp on POST /auth/credentials/{id}/verify when the credential type is EMAIL_OTP. The sandbox skips OTP delivery and accepts this value as a valid response to the issued challenge.
curl -X POST https://api.lightspark.com/grid/2025-10-13/auth/credentials/AuthMethod:abc123/verify \
-u "$GRID_CLIENT_ID:$GRID_CLIENT_SECRET" \
-H "Content-Type: application/json" \
-H "Request-Id: 7c4a8d09-ca37-4e3e-9e0d-8c2b3e9a1f21" \
-d '{
"type": "EMAIL_OTP",
"otp": "000000",
"clientPublicKey": "04f45f2a..."
}'
401 UNAUTHORIZED with reason: "Invalid OTP code".
Passkey assertion signature
Pass sandbox-valid-passkey-signature as assertion.signature on POST /auth/credentials/{id}/verify when the credential type is PASSKEY. The sandbox accepts the rest of the assertion as-is and skips the WebAuthn signature check.
Passkey reauthentication is a two-step /challenge → /verify flow. The clientPublicKey is sent on /challenge (so Grid can seal the session signing key to your device) — the magic value bypasses the credential check, not the HPKE plumbing, so the public key is still required.
# 1. /challenge with clientPublicKey
curl -X POST https://api.lightspark.com/grid/2025-10-13/auth/credentials/AuthMethod:abc123/challenge \
-u "$GRID_CLIENT_ID:$GRID_CLIENT_SECRET" \
-H "Content-Type: application/json" \
-d '{
"clientPublicKey": "04f45f2a..."
}'
# 2. /verify with the magic signature, no clientPublicKey
curl -X POST https://api.lightspark.com/grid/2025-10-13/auth/credentials/AuthMethod:abc123/verify \
-u "$GRID_CLIENT_ID:$GRID_CLIENT_SECRET" \
-H "Content-Type: application/json" \
-H "Request-Id: 7c4a8d09-ca37-4e3e-9e0d-8c2b3e9a1f21" \
-d '{
"type": "PASSKEY",
"assertion": {
"credentialId": "...",
"clientDataJson": "...",
"authenticatorData": "...",
"signature": "sandbox-valid-passkey-signature"
}
}'
401 UNAUTHORIZED with reason: "Invalid passkey signature".
OAuth (OIDC) token
OAuth does not use a fixed magic token in sandbox. Pass a JWT-shaped OIDC token as oidcToken. The JWT signature segment can be a dummy value, but the payload must look like a real ID token.
For POST /auth/credentials with type: "OAUTH", the sandbox token must include:
iss: a supported issuer, such as https://accounts.google.com, accounts.google.com, or https://appleid.apple.comaud: a non-empty string, or a single-element string arraysub: a non-empty subject identifier for the useriat: a numeric issued-at timestamp no more than 60 seconds before the request, with 5 seconds of clock skew allowedexp: a numeric expiration timestamp later than the request time
Grid stores the OAuth credential’s registered identity from iss, aud, and sub. On POST /auth/credentials/{id}/verify, the fresh oidcToken must carry the same iss, aud, and sub as the credential being verified. It must also include nonce equal to sha256(clientPublicKey), where clientPublicKey is the exact hex public key sent in the verify request.
export PUBLIC_KEY="04f45f2a22c908b9ce09a7150e514afd24627c401c38a4afc164e1ea783adaaa31d4245acfb88c2ebd42b47628d63ecabf345484f0a9f665b63c54c897d5578be2"
OIDC_TOKEN=$(node - <<'NODE'
const crypto = require("crypto");
const publicKey = process.env.PUBLIC_KEY || "04f45f2a22c908b9ce09a7150e514afd24627c401c38a4afc164e1ea783adaaa31d4245acfb88c2ebd42b47628d63ecabf345484f0a9f665b63c54c897d5578be2";
const now = Math.floor(Date.now() / 1000);
const b64url = (value) =>
Buffer.from(JSON.stringify(value)).toString("base64url");
const payload = {
iss: "https://accounts.google.com",
sub: "sandbox-user-123",
aud: "grid-sandbox-oauth-client-id",
iat: now,
exp: now + 300,
nonce: crypto.createHash("sha256").update(publicKey).digest("hex"),
email: "sandbox-user-123@example.com",
email_verified: true
};
console.log(
`${b64url({ alg: "RS256", typ: "JWT" })}.${b64url(payload)}.sandbox-signature`
);
NODE
)
curl -X POST https://api.lightspark.com/grid/2025-10-13/auth/credentials/AuthMethod:abc123/verify \
-u "$GRID_CLIENT_ID:$GRID_CLIENT_SECRET" \
-H "Content-Type: application/json" \
-H "Request-Id: 7c4a8d09-ca37-4e3e-9e0d-8c2b3e9a1f21" \
-d '{
"type": "OAUTH",
"oidcToken": "'"$OIDC_TOKEN"'",
"clientPublicKey": "'"$PUBLIC_KEY"'"
}'
The old literal sandbox-valid-oidc-token is no longer accepted. Use a freshly generated sandbox JWT for both OAuth credential registration and OAuth verification. Production requires a real ID token from your provider and verifies the provider signature.
sandbox-valid-signature as the Grid-Wallet-Signature HTTP header on any signed-retry flow:
POST /auth/credentials (add-additional-credential signed retry)DELETE /auth/credentials/{id} (revoke credential)DELETE /auth/sessions/{id} (revoke session)POST /internal-accounts/{id}/export (export wallet)PATCH /internal-accounts/{id} (update wallet privacy)POST /quotes/{quoteId}/execute (when source is an embedded wallet)
curl -X POST https://api.lightspark.com/grid/2025-10-13/quotes/Quote:abc123/execute \
-u "$GRID_CLIENT_ID:$GRID_CLIENT_SECRET" \
-H "Content-Type: application/json" \
-H "Idempotency-Key: 7c4a8d09-ca37-4e3e-9e0d-8c2b3e9a1f21" \
-H "Grid-Wallet-Signature: sandbox-valid-signature"
401 UNAUTHORIZED with reason: "Invalid Grid-Wallet-Signature".
Production vs Sandbox
Here are the key differences between production and sandbox environments:
- API Tokens: Sandbox tokens only work in the sandbox environment and vice versa
- Bank Transfers: In sandbox, you use
/sandbox/send instead of real bank transfers
- Test UMA Addresses: Special sandbox addresses for testing different scenarios
- Money: No real money is moved in sandbox
Always test thoroughly in sandbox before moving to production!
