Environments

Every merchant has two environments — live (real money) and test (non-money movement). The boundary is enforced at four independent layers: API key, PSP credentials, database, and ledger. Together they make cross-environment leakage effectively impossible.

The key is the switch

Environment is stamped on the API key. The middleware reads environment from the key and binds it to the request context. Every order-creating endpoint reads the stamp from there.

There is no ?env=live query parameter, no X-Environment header, no body field that can shift the call. A test key cannot create a live order. A live key cannot create a test order.

Base URLs

The base URL is shared across Live and Test. The real boundary is the key prefix: a sk_test_* key always resolves as a test request, whichever host you call.

What test exercises

• The same routing engine, fee policies, limit policies, risk rules, and ledger math that live runs.
• Test orders route to test PSP credentials only. A method with no test credentials is invisible to test orders.
• Test balances are backed by separate ledger accounts from live balances. No transfer ever crosses the boundary.

What test does not exercise

Operational rules

• Do not synthesize live data from test runs. Test rows never become live rows; there is no migration path.
• Do not point a webhook endpoint that handles live events at test deliveries. Configure separate endpoints per environment.
• Verify every deploy against test before flipping the live key. GET /me is the cheapest sanity check.