Environment
Quick Reference
WhatSandbox and production environments
WhyConfigure endpoints, understand credential scoping, and make your first API call
Reading Time5 min
DifficultyBeginner
PrerequisitesAuthentication
Why this matters
| Risk | Consequence | How A55 prevents it |
|---|---|---|
| Using production credentials in development | Real cards get charged during testing | Separate credential pairs per environment |
| Pointing at the wrong API URL per environment | Requests fail or hit wrong data | Same URL for both — credentials determine behavior |
| No clear go-live checklist | Bugs ship to production | Sandbox mirrors production 1:1 — what works in sandbox works live |
Same URL — different credentials
Sandbox and production share the same base URL and Cognito host. The environment is selected by which client_id / client_secret pair you use. Double-check which credentials you deploy.
Endpoints
| Purpose | URL |
|---|---|
| REST API | https://core-manager.a55.tech/api/v1 |
| OAuth 2.0 token | https://smart-capital.auth.us-east-1.amazoncognito.com/oauth2/token |
Both URLs are identical for sandbox and production. Your credentials determine the environment.
Sandbox vs production
| Sandbox | Production | |
|---|---|---|
| Money | Simulated — no settlement | Real charges and settlement |
| Cards | Test cards and last-digit rules | Real issuer authorization |
| Credentials | Sandbox client_id / client_secret | Production client_id / client_secret |
| 3DS | Simulated flows | Live issuer challenges |
| Webhooks | Delivered to your endpoint | Delivered to your endpoint |
| Rate limits | Same as production | Same as sandbox |
| API surface | Identical | Identical |
Verify your setup
Set your credentials as environment variables, then authenticate and list wallets in one shot.
- cURL
- Python
- JavaScript
# Set sandbox credentials
export A55_CLIENT_ID="sandbox-xxxx-xxxx-xxxx"
export A55_CLIENT_SECRET="sandbox-secret-xxxx"
# Authenticate
TOKEN=$(curl -s -X POST \
https://smart-capital.auth.us-east-1.amazoncognito.com/oauth2/token \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=client_credentials" \
-d "client_id=$A55_CLIENT_ID" \
-d "client_secret=$A55_CLIENT_SECRET" | jq -r '.access_token')
echo "Token acquired: ${TOKEN:0:20}..."
# List wallets
curl -s https://core-manager.a55.tech/api/v1/wallets \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" | jq .
import os
import requests
AUTH_URL = "https://smart-capital.auth.us-east-1.amazoncognito.com/oauth2/token"
API_BASE = "https://core-manager.a55.tech/api/v1"
client_id = os.environ["A55_CLIENT_ID"]
client_secret = os.environ["A55_CLIENT_SECRET"]
token = requests.post(AUTH_URL, data={
"grant_type": "client_credentials",
"client_id": client_id,
"client_secret": client_secret,
}, headers={"Content-Type": "application/x-www-form-urlencoded"}).json()["access_token"]
print(f"Token acquired: {token[:20]}...")
headers = {"Authorization": f"Bearer {token}", "Content-Type": "application/json"}
wallets = requests.get(f"{API_BASE}/wallets", headers=headers).json()
print(wallets)
const AUTH_URL = "https://smart-capital.auth.us-east-1.amazoncognito.com/oauth2/token";
const API_BASE = "https://core-manager.a55.tech/api/v1";
const clientId = process.env.A55_CLIENT_ID;
const clientSecret = process.env.A55_CLIENT_SECRET;
const tokenResp = await fetch(AUTH_URL, {
method: "POST",
headers: { "Content-Type": "application/x-www-form-urlencoded" },
body: new URLSearchParams({
grant_type: "client_credentials",
client_id: clientId,
client_secret: clientSecret,
}),
});
const { access_token } = await tokenResp.json();
console.log(`Token acquired: ${access_token.slice(0, 20)}...`);
const wallets = await fetch(`${API_BASE}/wallets`, {
headers: {
Authorization: `Bearer ${access_token}`,
"Content-Type": "application/json",
},
}).then(r => r.json());
console.log(wallets);
Run it now
Copy the snippet above, replace the credentials with your sandbox pair, and run it. If you see your wallets, your environment is set up correctly.
Credential configuration
Store credentials per environment in your secrets manager or .env files (never committed to version control).
Sandbox:
export A55_CLIENT_ID="sandbox-xxxx-xxxx-xxxx"
export A55_CLIENT_SECRET="sandbox-secret-xxxx"
export A55_ENV="sandbox"
Production:
export A55_CLIENT_ID="prod-xxxx-xxxx-xxxx"
export A55_CLIENT_SECRET="prod-secret-xxxx"
export A55_ENV="production"
Never mix environments
Production credentials in development charge real cards. Sandbox credentials in production silently fail. Always verify which pair is deployed.
Go-live checklist
| Step | Sandbox | Production |
|---|---|---|
| 1. Credentials provisioned | Sandbox client_id / client_secret | Production client_id / client_secret |
| 2. Authentication works | Token acquired, API responds | Token acquired, API responds |
| 3. Create a charge | Test card, status paid | Real card, status paid |
| 4. Webhooks received | Status updates arrive at your endpoint | Status updates arrive at your endpoint |
| 5. Refund tested | Refund completes in sandbox | — |
| 6. 3DS tested | Frictionless and challenge flows pass | — |
| 7. Credential rotation | — | Rotate secrets, confirm no downtime |
Operational practices
| Practice | Description |
|---|---|
| Secrets manager | Store credentials in AWS Secrets Manager, HashiCorp Vault, or your cloud's equivalent |
| No hardcoding | Never commit credentials to version control |
| Validate in sandbox first | Complete all flows before requesting production access |
| Rotate regularly | Rotate secrets on a quarterly schedule at minimum |
| Monitor 401s | Alert on unexpected authentication failures — they may signal credential leaks |
Request credentials
Email tech.services@a55.tech with company name, CNPJ (if applicable), contact email, desired environment (sandbox / production), and a short use-case description.