🧪 Sandbox Environment

A fully isolated environment mirroring production APIs. Test authentication, invoice submission, webhook delivery, error handling, and retry logic — all without affecting real data or Peppol network traffic.

Identical API Contract Safe Test Data Failure Simulation No Rate Limits Instant Webhooks

🌐

Base URL

All sandbox API calls use the same base URL with /api/v1/ prefix. Peppol transport is simulated — no real network messages are sent.

🔑

Authentication

🔄

Data Lifecycle

Sandbox data resets every 24 hours. Design your tests to be idempotent. Seed data is re-loaded on each reset cycle.

📡

Simulated Peppol

Messages are processed via SimulatedPeppolTransport — instant success or configurable failure, no real AS4 exchange.

🔐 Test Credentials

Use these pre-provisioned accounts in the sandbox. Each account has different roles and data sets.

Client API Account

Email sandbox-client@solabill.test

Password sandbox-pass-2026!

Account Status Active

Suspended Account (for error testing)

Email suspended-client@solabill.test

Password sandbox-pass-2026!

Account Status Suspended

Expected Returns 403 with error code account_suspended

💡

These credentials are for sandbox only. Production accounts are provisioned through the admin portal after completing the onboarding process.

⚡ Quick Start

Get up and running in three steps:

Step 1 — Authenticate

BASHcurl -X POST https://www.solabill.com/api/v1/client/auth/login \
  -H "Content-Type: application/json" \
  -d '{
    "email": "sandbox-client@solabill.test",
    "password": "sandbox-pass-2026!"
  }'

# Response:
# {
#   "data": {
#     "token": "1|abc123...",
#     "user": { "name": "Sandbox Client", "email": "sandbox-client@solabill.test" },
#     "account": { "company_name": "Sandbox Corp", "status": "active" }
#   }
# }

Step 2 — Create an Invoice

BASHcurl -X POST https://www.solabill.com/api/v1/client/invoices \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "invoice_number": "INV-SANDBOX-001",
    "recipient_id": "0192:sandbox-buyer",
    "amount": 5250.00,
    "currency": "AED",
    "issue_date": "2026-02-12",
    "due_date": "2026-03-12"
  }'

# Response includes invoice ID and dispatched Peppol message

Step 3 — Check Message Status

BASHcurl https://www.solabill.com/api/v1/client/messages \
  -H "Authorization: Bearer YOUR_TOKEN"

# Returns paginated list of Peppol messages with delivery status

🧪 Test Scenarios

Cover these scenarios before going to production:

Scenario	How to Test	Expected Result	Status Code
Successful login	POST valid credentials	Token in `data.token`	200
Invalid credentials	POST wrong password	Error with `invalid_credentials`	401
Suspended account	Login with suspended account	Error with `account_suspended`	403
Expired / revoked token	Use an old or revoked bearer token	Error with `unauthenticated`	401
Validation errors	Submit invoice missing required fields	Field-level error details	422
Create invoice	POST valid invoice payload	Invoice + PeppolMessage created	201
Create credit note	POST valid credit note payload	Credit note + PeppolMessage created	201
Register participant	POST participant identifier	Participant registered to tenant	201
Delete participant	DELETE participant by ID	Participant removed	200
Change password	POST current + new password	Password updated confirmation	200
Paginated listing	GET invoices with `?page=2&per_page=5`	Response with `pagination` object	200
Rate limiting	Exceed request limit on login	`Retry-After` header set	429
Webhook delivery	Create invoice with webhook subscription active	Webhook POST received at your URL	N/A

⚖️ Sandbox vs Production

Feature	Sandbox	Production
Peppol Transport	`SimulatedPeppolTransport` — instant, no network	`HttpPeppolTransport` — real AS4 over TLS 1.2+
Certificate Validation	Skipped — test certificates accepted	Full Peppol PKI chain validation
SMP Lookups	Mocked responses	Real SML → SMP DNS-based discovery
Rate Limits	Relaxed (higher thresholds)	Enforced per tier: `api-default`, `api-submission`, `api-auth`
Webhook Delivery	Instant, no signature enforcement	HMAC SHA-256 signed, retry with exponential backoff
Data Persistence	Resets every 24 hours	Permanent with backup and DR policies
Tax Reporting	Submissions succeed but do not reach FTA	Live submission to Federal Tax Authority
API Response Format	Identical — same JSON envelope	Identical — same JSON envelope

⚠️

Important: Never use sandbox credentials in production. Production API tokens are issued through the client onboarding process and managed via the client portal's API Keys page.

📦 Sample Data

The sandbox comes pre-loaded with the following test data after each reset:

🧾

25 Invoices

Mix of statuses: draft, sent, delivered, and failed. Various amounts in AED, USD, and EUR.

📄

10 Credit Notes

Linked to existing invoices. Partial and full credit scenarios.

👥

8 Participants

Pre-registered Peppol identifiers with various scheme IDs (0192, 0195, 0151).

📬

15 Peppol Messages

Outbound and inbound messages in different lifecycle states: queued, delivered, failed.

📥

5 Inbox Documents

Simulated inbound Peppol documents received from the network.

🔔

2 Webhook Subscriptions

Pre-configured webhook URLs with delivery history logs.

🔬 Interactive API Explorer

Try API calls directly from this page. Authorize with the test credentials above, then expand any endpoint to send requests.

🔑

How to authenticate in the explorer:

First, use the POST /client/auth/login endpoint below to get a token
Click the green Authorize 🔒 button at the top of the explorer
Enter: Bearer YOUR_TOKEN (include the word Bearer)
Click Authorize then Close
All subsequent requests will include your token automatically

1. Login → Get Token

→

2. Click Authorize 🔒

→

3. Paste Bearer Token

→

4. Expand Endpoint

→

5. Try It Out

→

6. Execute ▶

✅ Pre-Production Checklist

Before switching from sandbox to production, verify all of the following:

☐
Authentication flow — Login, token storage, refresh/re-login on 401, logout
☐
Invoice creation — Valid payloads accepted (201), invalid payloads rejected (422)
☐
Credit note creation — Linked to invoices, correct amounts and references
☐
Participant management — Register, list, and delete participants
☐
Message tracking — Poll message status and handle all lifecycle states
☐
Pagination — Handle has_more, current_page, last_page correctly
☐
Error handling — Parse error envelope (error.code, error.message, error.details)
☐
Rate limit handling — Respect 429 responses and Retry-After header
☐
Webhook verification — Validate HMAC signature, reject stale/duplicate events
☐
Idempotency — No duplicate invoices/credit notes on retries
☐
Request tracing — Log X-Request-Id header from responses for support tickets
☐
Base URL swap — Update from sandbox URL to production URL in config (not hardcoded)

🚀

Once all checklist items are verified, contact your account manager or email support@solabill.ae to request production API credentials.