Test in Sandbox
TrustGate provides a sandbox environment for testing your integration without affecting production data or incurring charges. This guide explains how to use sandbox mode effectively.
Sandbox vs. Production
| Feature | Sandbox | Production |
|---|---|---|
| API Key Prefix | tg_test_ | tg_live_ |
| Data Persistence | 7 days | Permanent |
| Screening Results | Simulated | Real watchlists |
| Rate Limits | 1000/min | Based on plan |
| Billing | Free | Usage-based |
| Webhooks | Delivered | Delivered |
Getting Your Sandbox API Key
- Log in to the TrustGate dashboard
- Go to Settings > API Keys
- Find your sandbox key (starts with
tg_test_) - Click Copy to copy it to your clipboard
Environment Variables
Use environment variables to switch between sandbox and production:
# Development
TRUSTGATE_API_KEY=tg_test_xxxxxxxxxxxx
# Production
TRUSTGATE_API_KEY=tg_live_xxxxxxxxxxxx
Test Data
Test Applicants
Use these test names to trigger specific screening results:
| Name | Screening Result | Description |
|---|---|---|
John Smith | Clear | No matches found |
Sanctions Match | Sanctions hit | Triggers OFAC SDN match |
PEP Tier One | PEP hit (Tier 1) | Triggers high-level PEP match |
PEP Tier Three | PEP hit (Tier 3) | Triggers lower-level PEP match |
Media Match | Adverse media hit | Triggers negative news match |
Multi Hit | Multiple hits | Triggers sanctions + PEP + adverse media |
Test Documents
In sandbox mode, document verification uses simulated OCR. Use these test document numbers:
| Document Number | Verification Result |
|---|---|
PASS123456 | Verified successfully |
PASS_EXPIRED | Rejected - expired document |
PASS_FAKE | Rejected - suspected fraud |
PASS_BLUR | Rejected - image quality |
Test Countries
Use these country codes to test geographic risk scenarios:
| Country Code | Risk Level | Notes |
|---|---|---|
USA, GBR, CAN | Low risk | Standard processing |
VNM, VEN, SYR | Medium risk | FATF grey list countries |
IRN, PRK, MMR | High risk | FATF black list countries |
LBN, YEM, BOL | Medium risk | FATF grey list countries |
Testing Workflows
1. Test Clear Verification Flow
Test the happy path where an applicant passes all checks:
curl -X POST https://api.bytrustgate.com/v1/applicants \
-H "Authorization: Bearer tg_test_YOUR_KEY" \
-H "Content-Type: application/json" \
-d '{
"external_id": "test_clear_001",
"email": "clear@example.com",
"first_name": "John",
"last_name": "Smith",
"date_of_birth": "1990-01-15",
"nationality": "USA"
}'
Expected result:
- Screening returns
clear - Risk score: 10-30 (low)
- Ready for auto-approval
2. Test Sanctions Hit Flow
Test what happens when an applicant matches a sanctions list:
curl -X POST https://api.bytrustgate.com/v1/applicants \
-H "Authorization: Bearer tg_test_YOUR_KEY" \
-H "Content-Type: application/json" \
-d '{
"external_id": "test_sanctions_001",
"email": "sanctions@example.com",
"first_name": "Sanctions",
"last_name": "Match",
"date_of_birth": "1980-06-20",
"nationality": "USA"
}'
Expected result:
- Screening returns
hit - Hit type:
sanctions - Confidence: 85-95%
- Risk score: 80+ (high)
- Case auto-created
3. Test PEP Hit Flow
Test politically exposed person detection:
curl -X POST https://api.bytrustgate.com/v1/applicants \
-H "Authorization: Bearer tg_test_YOUR_KEY" \
-H "Content-Type: application/json" \
-d '{
"external_id": "test_pep_001",
"email": "pep@example.com",
"first_name": "PEP",
"last_name": "Tier One",
"date_of_birth": "1975-03-10",
"nationality": "GBR"
}'
Expected result:
- Screening returns
hit - Hit type:
pep - PEP tier: 1
- Position: "Former Head of State"
- Risk score: 70-85 (high)
4. Test High-Risk Country Flow
Test geographic risk flagging:
curl -X POST https://api.bytrustgate.com/v1/applicants \
-H "Authorization: Bearer tg_test_YOUR_KEY" \
-H "Content-Type: application/json" \
-d '{
"external_id": "test_country_001",
"email": "highrisk@example.com",
"first_name": "Test",
"last_name": "User",
"date_of_birth": "1985-08-22",
"nationality": "IRN"
}'
Expected result:
- Risk score: 50+ (elevated)
- Flag:
high_risk_country - Requires enhanced due diligence
Testing Webhooks
Set Up Test Webhook
- Use a webhook testing service like webhook.site or RequestBin
- Copy the generated URL
- Add it in Settings > Webhooks with your sandbox API key
- Select events to receive
Trigger Test Events
Each action in sandbox triggers real webhooks:
# This will send an applicant.created webhook
curl -X POST https://api.bytrustgate.com/v1/applicants \
-H "Authorization: Bearer tg_test_YOUR_KEY" \
-H "Content-Type: application/json" \
-d '{
"external_id": "webhook_test_001",
"first_name": "Webhook",
"last_name": "Test",
"email": "webhook@example.com"
}'
Verify Webhook Delivery
Check your webhook endpoint for the payload:
{
"event": "applicant.created",
"timestamp": "2025-01-20T12:00:00Z",
"data": {
"applicant_id": "...",
"external_id": "webhook_test_001",
"status": "pending"
}
}
Testing Error Scenarios
Rate Limiting
To test rate limit handling, send requests rapidly:
import requests
import time
API_KEY = "tg_test_YOUR_KEY"
for i in range(150): # Exceed 100/min limit
response = requests.get(
"https://api.bytrustgate.com/v1/applicants",
headers={"Authorization": f"Bearer {API_KEY}"},
)
if response.status_code == 429:
print(f"Rate limited at request {i}")
retry_after = response.headers.get("Retry-After", 60)
print(f"Retry after: {retry_after} seconds")
break
Invalid Data
Test validation errors:
# Missing required field
curl -X POST https://api.bytrustgate.com/v1/applicants \
-H "Authorization: Bearer tg_test_YOUR_KEY" \
-H "Content-Type: application/json" \
-d '{
"email": "incomplete@example.com"
}'
Response:
{
"detail": [
{
"loc": ["body", "first_name"],
"msg": "field required",
"type": "value_error.missing"
}
]
}
Network Errors
Test timeout handling by using a slow network or adding delays to your webhook endpoint.
Sandbox Data Management
Cleaning Up Test Data
Sandbox data is automatically deleted after 7 days. To manually clean up:
# Delete a test applicant
curl -X DELETE https://api.bytrustgate.com/v1/applicants/{applicant_id}/gdpr-delete \
-H "Authorization: Bearer tg_test_YOUR_KEY" \
-G \
-d "confirmation=CONFIRM_DELETE" \
-d "reason=Test cleanup"
Seeding Demo Data
For UI testing, you can seed demo applicants via the debug endpoint (sandbox only):
curl -X POST https://api.bytrustgate.com/v1/auth/seed-demo-data \
-H "Authorization: Bearer tg_test_YOUR_KEY" \
-G \
-d "tenant_id=YOUR_TENANT_ID" \
-d "count=25"
Going Live Checklist
Before switching to production:
- All test scenarios pass
- Webhook endpoint handles all event types
- Error handling is robust
- Rate limiting is handled gracefully
- API key is stored securely (environment variables)
- Production webhook URL is configured
- Team members have appropriate roles
- Compliance workflows are reviewed
Switch to Production
- Replace
tg_test_API key withtg_live_in your environment - Update webhook URLs to production endpoints
- Verify first few real verifications manually
- Monitor error rates and latency
Best Practices
Separate Test Data
Use distinctive external IDs for test data:
const externalId = `test_${Date.now()}_${Math.random().toString(36).substr(2, 9)}`;
Automated Testing
Include API tests in your CI/CD pipeline:
# pytest example
def test_create_applicant_clear():
response = create_applicant("John", "Smith")
assert response.status_code == 201
applicant_id = response.json()["id"]
screening = run_screening(applicant_id)
assert screening.json()["status"] == "clear"
Document Test Cases
Maintain a test matrix:
| Scenario | Test Name | Expected Result | Status |
|---|---|---|---|
| Clear applicant | test_clear_001 | Approved | ✓ |
| Sanctions hit | test_sanctions_001 | Case created | ✓ |
| PEP hit | test_pep_001 | Manual review | ✓ |
| High-risk country | test_country_001 | EDD required | ✓ |
Next Steps
- Quick Start Guide - Build your first integration
- API Reference - Full API documentation
- Webhooks - Event notification setup