> ## Documentation Index
> Fetch the complete documentation index at: https://documentation.idenfy.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Testing and Sandbox

> Test your iDenfy integration with dummy verification results in the sandbox environment before going live with real users and documents.

## How to Test

iDenfy uses the same API URL for sandbox and production. Your API key determines which mode you're in.

<Steps>
  <Step title="Get sandbox API keys">
    Your sandbox keys are in [Dashboard → Settings → API Keys](/guides/dashboard/settings/api-keys).
  </Step>

  <Step title="Set up a webhook receiver">
    Use one of these to inspect incoming webhooks:

    ```bash theme={"system"}
    # Option 1: webhook.site (no setup)
    # Go to https://webhook.site — you get a unique URL immediately

    # Option 2: ngrok (tunnels to localhost)
    ngrok http 3000
    # Use the https URL it gives you
    ```

    Paste the URL in [Dashboard → Settings → Webhooks](/guides/dashboard/settings/system-notifications-webhooks-emails).
  </Step>

  <Step title="Create a test session">
    ```bash theme={"system"}
    curl -X POST https://ivs.idenfy.com/api/v2/token \
      -u "SANDBOX_API_KEY:SANDBOX_API_SECRET" \
      -H "Content-Type: application/json" \
      -d '{"clientId": "test-001"}'
    ```
  </Step>

  <Step title="Run a dummy verification">
    Use the [Sample Verification](/guides/dashboard/kyb/verification-sandbox-and-testing) feature in your Dashboard to generate mock results with predefined outcomes — no real documents needed.
  </Step>
</Steps>

***

## Simulating Different Outcomes

Use [Dummy Results](/kyc/dummy-results) to trigger specific verification statuses:

| Outcome       | What to test in your app                            |
| ------------- | --------------------------------------------------- |
| **APPROVED**  | Happy path — user gets access                       |
| **DENIED**    | Show rejection message, offer retry                 |
| **SUSPECTED** | Check `fraudTags` / `mismatchTags`, make a decision |
| **EXPIRED**   | Token timed out — prompt re-verification            |

For AML screening, use [AML Dummy Results](/aml/dummy-results) to trigger sanctions/PEP matches.

***

## Go-Live Checklist

Before switching to production keys:

* [ ] **Webhooks** — all statuses handled (`APPROVED`, `DENIED`, `SUSPECTED`, `EXPIRED`)
* [ ] **Error handling** — graceful responses for 400, 401, 403, 429, 500
* [ ] **Token expiry** — tested what happens when user returns after session expires
* [ ] **Callback signing** — [HMAC verification](/security/callback-signing) implemented
* [ ] **IP whitelisting** — [iDenfy IPs whitelisted](/security/ip-whitelisting) on your webhook endpoint
* [ ] **Data storage** — `scanRef` stored in your database for each verification
* [ ] **Production webhook URL** — configured in Dashboard
* [ ] **Production API keys** — generated and stored securely (env vars, not code)

<Warning>
  The most common go-live issue: **webhook endpoint returns non-2xx**. iDenfy retries, and in the meantime the user sees a "failed" redirect even though verification may have succeeded. Test your webhook endpoint thoroughly.
</Warning>