Use sandbox before any production launch. The API shape is the same as production, but credentials and merchant configuration are isolated.
What you need from Points
Request the following from support@papp.sa:
- sandbox API base URL
- sandbox Private key
- sandbox Public key
- a sandbox merchant with the correct capabilities enabled
- confirmation whether your merchant supports earn-only, checkout, or both
Production and sandbox credentials are separate. Keys never cross environments.
What stays the same in sandbox
The following remain the same as production:
- request and response JSON shape
- authentication model
- endpoint paths
- webhook registration model
- order lifecycle concepts
Test phone numbers
Current behavior accepts any well-formed KSA mobile number in sandbox unless your environment has stricter merchant-side configuration.
Recommended practice:
- use a dedicated list of internal test phone numbers
- keep them separate from real customer numbers
- reuse the same few numbers across regression tests so order history is easy to trace
Suggested sandbox setup
Prepare these environment variables:
POINTS_BASE_URL=https://sandbox-api.example.com/api/v1
POINTS_API_KEY=your_sandbox_private_key
POINTS_PUBLIC_KEY=your_sandbox_public_key
POINTS_WEBHOOK_URL=https://your-staging-domain.example.com/webhooks/points
Minimum test matrix
Before go-live, validate at least:
- successful earning order
- successful checkout session creation
- successful webhook registration
approved webhook handlingcancelled webhook handlingrefunded webhook handling if refunds are part of your flow- shipping status update if you fulfil physical goods
Staging webhook recommendation
Register a staging webhook URL against sandbox, not your local machine, for repeated tests. Use tunnelling only for short manual debugging sessions.
Test phone numbers
The sandbox currently accepts any well-formed KSA phone number. If Points later allocates dedicated test identities or OTP bypass rules for your merchant, treat those as environment-specific test fixtures rather than a global contract.
See also
