> ## Documentation Index
> Fetch the complete documentation index at: https://docs.qonto.com/llms.txt
> Use this file to discover all available pages before exploring further.
# Testing in the Sandbox
> Important differences when using the OAuth flow in the Qonto sandbox environment.
## Sandbox vs production credentials
The sandbox OAuth endpoints and credentials are **different from production**. Using production credentials against sandbox endpoints (or vice versa) will fail.
You can use the **environment toggle** in the top-right corner of the Developer Portal to switch between sandbox and production credentials.
## Sandbox OAuth endpoints
| Step | Production | Sandbox |
| ------------- | -------------------------------------- | ----------------------------------------------------- |
| Authorization | `https://oauth.qonto.com/oauth2/auth` | `https://oauth-sandbox.staging.qonto.co/oauth2/auth` |
| Token | `https://oauth.qonto.com/oauth2/token` | `https://oauth-sandbox.staging.qonto.co/oauth2/token` |
| API base | `https://thirdparty.qonto.com` | `https://thirdparty-sandbox.staging.qonto.co` |
## Required header on all sandbox requests
All requests to sandbox endpoints — **including the OAuth token endpoint** — must include the `X-Qonto-Staging-Token` header.
Without it, the server may return a `302` redirect to the developer portal instead of a JSON response, which is a common and confusing failure.
This header is the programmatic-call bypass for our Sandbox OneLogin gate. For the full picture — including how to open Sandbox URLs in a browser — see [Accessing the Sandbox environment](/get-started/general/sandbox-access).
```bash {3} theme={null}
curl -X POST https://oauth-sandbox.staging.qonto.co/oauth2/token \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'X-Qonto-Staging-Token: YOUR_STAGING_TOKEN' \
-d 'grant_type=authorization_code' \
-d 'code=YOUR_CODE' \
-d 'client_id=YOUR_SANDBOX_CLIENT_ID' \
-d 'client_secret=YOUR_SANDBOX_CLIENT_SECRET' \
-d 'redirect_uri=https://your-app.com/callback'
```
```python {5} theme={null}
import requests
response = requests.post(
"https://oauth-sandbox.staging.qonto.co/oauth2/token",
headers={"X-Qonto-Staging-Token": "YOUR_STAGING_TOKEN"},
data={
"grant_type": "authorization_code",
"code": "YOUR_CODE",
"client_id": "YOUR_SANDBOX_CLIENT_ID",
"client_secret": "YOUR_SANDBOX_CLIENT_SECRET",
"redirect_uri": "https://your-app.com/callback",
},
)
tokens = response.json()
```
```javascript {5} theme={null}
const response = await fetch('https://oauth-sandbox.staging.qonto.co/oauth2/token', {
method: 'POST',
headers: {
'Content-Type': 'application/x-www-form-urlencoded',
'X-Qonto-Staging-Token': 'YOUR_STAGING_TOKEN',
},
body: new URLSearchParams({
grant_type: 'authorization_code',
code: 'YOUR_CODE',
client_id: 'YOUR_SANDBOX_CLIENT_ID',
client_secret: 'YOUR_SANDBOX_CLIENT_SECRET',
redirect_uri: 'https://your-app.com/callback',
}),
});
const tokens = await response.json();
```
Your staging token is available in your [Developer Portal](https://developers.qonto.com/) account.
## SMS verification code
When logging in to Qonto with Sandbox credentials, the SMS verification code is always **`123456`**.
## Prerequisites
Before initiating the sandbox OAuth flow, make sure you are logged in to the [Sandbox web-app](/get-started/general/developer-guidelines#set-up-the-sandbox-environment) through your Developer Portal account.