Testing in the Sandbox

Sandbox vs production credentials

The sandbox OAuth endpoints and credentials are different from production. Using production credentials against sandbox endpoints (or vice versa) will fail.

You can use the environment toggle in the top-right corner of the Developer Portal to switch between sandbox and production credentials.

Sandbox OAuth endpoints

Step	Production	Sandbox
Authorization	`https://oauth.qonto.com/oauth2/auth`	`https://oauth-sandbox.staging.qonto.co/oauth2/auth`
Token	`https://oauth.qonto.com/oauth2/token`	`https://oauth-sandbox.staging.qonto.co/oauth2/token`
API base	`https://thirdparty.qonto.com`	`https://thirdparty-sandbox.staging.qonto.co`

Required header on all sandbox requests

All requests to sandbox endpoints — including the OAuth token endpoint — must include the X-Qonto-Staging-Token header.

Without it, the server may return a 302 redirect to the developer portal instead of a JSON response, which is a common and confusing failure.

cURL
Python
Node.js

curl -X POST https://oauth-sandbox.staging.qonto.co/oauth2/token \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -H 'X-Qonto-Staging-Token: YOUR_STAGING_TOKEN' \
  -d 'grant_type=authorization_code' \
  -d 'code=YOUR_CODE' \
  -d 'client_id=YOUR_SANDBOX_CLIENT_ID' \
  -d 'client_secret=YOUR_SANDBOX_CLIENT_SECRET' \
  -d 'redirect_uri=https://your-app.com/callback'

import requests

response = requests.post(
    "https://oauth-sandbox.staging.qonto.co/oauth2/token",
    headers={"X-Qonto-Staging-Token": "YOUR_STAGING_TOKEN"},
    data={
        "grant_type": "authorization_code",
        "code": "YOUR_CODE",
        "client_id": "YOUR_SANDBOX_CLIENT_ID",
        "client_secret": "YOUR_SANDBOX_CLIENT_SECRET",
        "redirect_uri": "https://your-app.com/callback",
    },
)
tokens = response.json()

const response = await fetch('https://oauth-sandbox.staging.qonto.co/oauth2/token', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/x-www-form-urlencoded',
    'X-Qonto-Staging-Token': 'YOUR_STAGING_TOKEN',
  },
  body: new URLSearchParams({
    grant_type: 'authorization_code',
    code: 'YOUR_CODE',
    client_id: 'YOUR_SANDBOX_CLIENT_ID',
    client_secret: 'YOUR_SANDBOX_CLIENT_SECRET',
    redirect_uri: 'https://your-app.com/callback',
  }),
});
const tokens = await response.json();

Your staging token is available in your Developer Portal account.

SMS verification code

When logging in to Qonto with Sandbox credentials, the SMS verification code is always 123456.

Prerequisites

Before initiating the sandbox OAuth flow, make sure you are logged in to the Sandbox web-app through your Developer Portal account.

General

Business API

Onboarding API

SDKs & Libraries

Testing in the Sandbox

Sandbox vs production credentials

Sandbox OAuth endpoints

Required header on all sandbox requests

SMS verification code

Prerequisites

General

Business API

Onboarding API

SDKs & Libraries

​Sandbox vs production credentials

​Sandbox OAuth endpoints

​Required header on all sandbox requests

​SMS verification code

​Prerequisites

Sandbox vs production credentials

Sandbox OAuth endpoints

Required header on all sandbox requests

SMS verification code

Prerequisites