sk_test_...) use fixture data instead of querying live data sources, so you can build and validate your integration without consuming credits, touching real customer data, or producing compliance artifacts. Webhook events fire exactly as they do in production, making end-to-end integration testing straightforward.
Getting a sandbox key
Follow the same steps as creating a live key (see Authentication), but select Sandbox for the environment in step 4. Your sandbox key will begin withsk_test_. Use this key in all development and staging environments — never use a sk_live_ key outside production.
Your
template_id must be a real template that exists in your tenant’s dashboard. Create a template in the kycert dashboard before running sandbox tests. The same template IDs work in both production and sandbox.Test CPFs
Each test CPF produces a deterministic result every time. Use them to exercise each decision branch in your integration.| CPF | Decision | Risk Band | Scenario |
|---|---|---|---|
000.000.001-91 | APPROVED | LOW | Clean profile — no flags across any source |
000.000.002-81 | BLOCKED | CRITICAL | Cancelled CPF — blocked at critical stage |
000.000.003-72 | BLOCKED | CRITICAL | Active arrest warrant |
000.000.004-53 | PENDING_REVIEW | HIGH | Active PEP (politically exposed person) |
000.000.005-44 | BLOCKED | CRITICAL | OFAC sanctions list |
000.000.006-34 | PENDING_REVIEW | HIGH | Financial protests on record |
000.000.007-25 | PENDING_REVIEW | HIGH | Administrative improbity finding |
000.000.008-06 | PARTIAL | MEDIUM | Three data sources timed out — partial result |
000.000.009-87 | BLOCKED | CRITICAL | All negative flags active simultaneously |
Test CNPJs
Use these to test PJ (legal entity) bureau runs in your integration.| CNPJ | Decision | Risk Band | Scenario |
|---|---|---|---|
00.000.000/0001-91 | APPROVED | LOW | Clean company — no flags |
00.000.000/0002-76 | BLOCKED | CRITICAL | OFAC financial crime sanction |
00.000.000/0003-57 | PENDING_REVIEW | HIGH | PEP exposure via company shareholders |
00.000.000/0004-81 | BLOCKED | CRITICAL | CVM (securities regulator) enforcement action |
How sandbox differs from production
The sandbox API behaves identically to production with these specific differences:- Fixture data, not real bureau queries — responses are pre-programmed for each test document. No external data sources are contacted.
- No credits consumed — sandbox runs are free and do not deduct from your bureau credit balance.
- Deterministic results — the same test document always produces the same
decision,risk_band, and check results. Your test suite can rely on this. - Webhook events fire normally —
run.completedandrun.failedevents are delivered to your webhook endpoint just as in production. Thelivemodefield in the payload isfalsefor sandbox events. - Same error behavior — validation errors, rate limits, and authentication failures behave the same as in production.
Suggested test scenarios
Cover these scenarios before deploying to production:- Happy path — use
000.000.001-91(CPF) or00.000.000/0001-91(CNPJ) to verify your system correctly handles anAPPROVEDdecision and proceeds with onboarding. - Hard block — use
000.000.005-44to verify your system blocks the customer and does not allow the operation to proceed. - Manual review queue — use
000.000.004-53to verify your system correctly holds the customer pending a compliance decision. - Partial result — use
000.000.008-06to verify your system handles aPARTIALdecision without crashing, and routes the case to your compliance team. - Retry on
run.failed— simulate a failed run by triggering an error condition and verify your retry logic is working. - Webhook signature verification — confirm your HMAC-SHA256 verification rejects a request with a tampered payload. See Webhooks for verification code.
Use sandbox keys throughout development and integration testing. Switch to live keys only when deploying to production. If you accidentally trigger a production run during testing, contact support — do not attempt to reverse the bureau result manually.