Testing
Test cards, sandbox tools, and strategies for validating your Credo integration before going live.
Credo's sandbox environment mirrors production exactly - same API, same endpoints, same behavior - but with no real money. Use it to test every part of your integration before switching to live keys.
Sandbox environment
| Sandbox | Production | |
|---|---|---|
| Dashboard | app.credodemo.com | app.credocentral.com |
| API base URL | api.credodemo.com | api.credocentral.com |
| Real charges | No | Yes |
| API keys | Separate set | Separate set |
Sandbox and production are completely independent. You need separate accounts, separate API keys, and separate webhook configurations for each.
Test cards
Testing bank transfers
When you initialize a transaction with initializeAccount set to 1, a virtual bank account is generated for the customer to transfer to.
In sandbox mode, bank transfers are simulated. After initializing:
- Note the virtual account number from the payment page
- The transaction auto-completes in sandbox (no actual transfer needed)
- Verify the transaction to confirm the status
Testing the full flow
Initialize and pay
# Initialize a transaction
curl -X POST https://api.credodemo.com/transaction/initialize \
-H "Authorization: YOUR_TEST_PUBLIC_KEY" \
-H "Content-Type: application/json" \
-d '{
"amount": 50000,
"email": "test@example.com",
"currency": "NGN",
"bearer": 0,
"channels": ["CARD"],
"initializeAccount": 0,
"callbackUrl": "https://yoursite.com/callback"
}'Open the authorizationUrl in your browser and complete payment with the test card.
Verify the transaction
curl https://api.credodemo.com/transaction/vs_xxxxxxxxxxxx/verify \
-H "Authorization: YOUR_TEST_SECRET_KEY"Confirm the response shows "status": 0 (successful).
Check webhook delivery
If you've configured a webhook URL in your sandbox dashboard, the webhook should arrive shortly after payment. You'll receive a transaction.successful event (or transaction.failed if the payment was declined). Check your server logs to confirm:
- The payload arrived with the correct
eventtype - The
X-Credo-Signaturevalidated correctly (SHA512 of secretKey + businessCode) - Your handler processed the event for all types you care about
Use a tool like webhook.site or ngrok during development to inspect webhook payloads without deploying your server.
Testing direct card charge
If you're using the direct charge API:
curl -X POST https://api.credodemo.com/transaction/direct/initiate \
-H "Authorization: YOUR_TEST_SECRET_KEY" \
-H "Content-Type: application/json" \
-d '{
"amount": 50000,
"currency": "NGN",
"reference": "TEST-DIRECT-001",
"card": {
"pan": "5399838383838381",
"cvv": "470",
"expiryYear": 2028,
"expiryMonth": 10
},
"customer": {
"email": "test@example.com"
},
"authorization": {
"mode": "PIN",
"pin": "1234"
}
}'If the response indicates OTP is required, authorize with:
curl -X POST https://api.credodemo.com/transaction/direct/authorize \
-H "Authorization: YOUR_TEST_SECRET_KEY" \
-H "Content-Type: application/json" \
-d '{
"transRef": "vs_xxxxxxxxxxxx",
"authorization": {
"mode": "OTP",
"otp": "123456"
}
}'What to test
Use this checklist to validate your integration before going live:
Payment flow
- Transaction initializes successfully
- Customer is redirected to checkout page
- Payment completes with test card
- Customer is redirected back to your
callbackUrl - Transaction verifies with status
0
Verification logic
- Amount matches what you expected
- Currency matches
- Business reference matches your order
- Duplicate payments are handled (same transRef isn't processed twice)
Webhooks
- Webhook is received at your endpoint
-
X-Credo-Signatureverification passes (SHA512 of secretKey + businessCode) - Handler processes all event types:
transaction.successful,transaction.failed,transaction.transaction.transfer.reverse,transaction.settlement.success - Duplicate webhooks are handled idempotently (use
transRef+ event as key)
Error scenarios
- Declined card shows appropriate message to customer
- Network timeout during verification is retried
- Invalid API key returns
401and is handled - Missing required fields return clear error messages
Edge cases
- Customer closes browser mid-payment (webhook still arrives)
- Very large amounts work correctly (watch for integer overflow)
- Special characters in customer names don't break anything
- Concurrent transactions don't interfere with each other
Switching to production
When all tests pass:
Create a production account
Register at app.credocentral.com and complete all six onboarding steps (personal profile, business profile, registration documents, business representatives, account information, and charges information).
Get production API keys
Go to Settings → Developer → API Keys in the production dashboard.
Update your configuration
Switch your API base URL and keys:
# Environment variables
CREDO_API_URL=https://api.credocentral.com
CREDO_PUBLIC_KEY=your_live_public_key
CREDO_SECRET_KEY=your_live_secret_keyConfigure production webhooks
Add your webhook URL in the production dashboard - it's a separate configuration from sandbox.
Run the go-live checklist
Review the Go-Live Checklist to confirm everything is ready.
Next steps
Was this page helpful?
Last updated on