Skip to content
LootBox Solutions

Testing & sandbox

A suggested order for bringing an integration up, each step de-risking the next.

1. Verify signing

Hit the signed health endpoint:

GET /api/s2s/health   (signed)  →  { "status": "ok", "time": "…" }

A 200 confirms your HMAC envelope is correct end-to-end. A 401 here means signing is wrong — fix this before anything else.

2. Read the catalog

GET /api/s2s/boxes   →  { "boxes": [ … ] }

Confirms your key has catalog access and gives you real boxId / boxVersionId values to use below.

3. Mock your wallet

Stand up a wallet endpoint that always accepts, so you can drive a settled round without real money logic:

app.post('/wallet', (req, res) => {
  const { type, amountMinor } = req.body;
  if (type === 'wallet.balance') return res.json({ balanceMinor: 100000, currency: 'EUR' });
  return res.json({ accepted: true, balanceAfterMinor: 100000 - (amountMinor ?? 0), providerTxnRef: 'mock' });
});

Set it as your wallet URL in Settings → Integration. Then test refusals by returning { "accepted": false, "errorCode": "INSUFFICIENT_FUNDS" } and confirm the player sees the right message.

4. Mint & open

Mint a launch token, embed the iframe, and open a box — or drive /purchase directly. Verify:

  • the debit hits your wallet with the expected idempotencyKey;
  • a retried open with the same clientActionId does not debit twice;
  • the round settles and any won item appears in inventory.

Idempotency & retries to exercise

  • Replay the same clientActionId / idempotencyKey — expect one effect.
  • Time out your wallet (sleep > 10s) — expect WALLET_UNAVAILABLE, no money moved, player can retry.
  • Refuse a cancel wallet credit — expect the round stays held and can be retried.