Environments
Audience: anyone integrating Mooov. One page answering "which hostname, which key, and where do I test?". What to actually do in the sandbox (test cards, simulated webhooks, the go-live checklist) lives on the sandbox page.
Mooov runs two environments. The Sandbox is a full deployment of the gateway wired to PSP test mode: same API surface, same HMAC auth, same webhook envelopes, no real money. Production moves real money and has no test mode.
1. Hostnames
| Surface | Sandbox | Production |
|---|---|---|
| API gateway | https://sandbox.api.mooov.money |
https://api.mooov.money |
| Connect authorize | https://sandbox.connect.mooov.money/authorize |
https://connect.mooov.money/authorize |
| Merchant portal (Mooov3) | https://sandbox.mooov3.mooov.money |
https://mooov3.mooov.money |
| Merchant portal (Mooov6, high-risk route) | https://sandbox.mooov6.mooov.money |
https://mooov6.mooov.money |
| Docs | https://docs.mooov.money (no sandbox variant) |
same |
| MCP server | https://mcp.mooov.money/mcp (no sandbox variant) |
same |
Docs and the public MCP server serve no account data, so they have a single hostname shared by both audiences.
Integrated before the sandbox hostnames existed? The legacy
staging.*.mooov.moneyhostnames continue to work as permanent aliases for the same sandbox environment — no migration required. New integrations should usesandbox.*.
2. Credentials
| Credential | Sandbox | Production |
|---|---|---|
| Merchant API key | mk_test_* |
mk_live_* |
| Platform (Connect) key | mk_platform_* (Mooov-Test-Mode key) |
mk_platform_* (live key) |
| Webhook signing secret | whsec_* (sandbox destination's) |
whsec_* (production destination's) |
The environment is baked into the credential at minting time.
Merchant key prefixes make the environment greppable — a mk_test_
key leaked into a production config is spotted at a glance. A key
only works against its own environment's hostname: pair mk_test_*
keys with sandbox.api.mooov.money and mk_live_* keys with
api.mooov.money. Platform keys share the mk_platform_ prefix in
both environments but are different secrets minted in separate
ceremonies.
3. Separation rule
Sandbox and production are fully separate: separate deployments,
separate databases, separate keys, separate merchants, separate
Connect grants, separate webhook destinations and signing secrets.
Nothing you create in the sandbox exists in production, and no
credential works across the boundary. A sandbox key against
api.mooov.money (or vice versa) fails authentication; it cannot
accidentally move real money.
For platforms this means the consent flow has to be run per environment: a tenant who connected on the sandbox is not connected on production.
4. There is no sandbox mode on production
Production has no test flag, no magic test cards, and no dry-run header. The verification path is:
- Certify end to end against the sandbox, including webhooks and failure paths, using the go-live checklist.
- Switch to production credentials and base URLs.
- Make one low-value live transaction (and refund it) as the final smoke test.
If you find yourself wanting to "test something quickly" on production, the answer is the sandbox. It is the same code.
5. Switching
Going from sandbox to production changes exactly three things: the base URL(s), the key pair in your secret manager, and the webhook signing secret. The API surface, signing scheme, and event shapes are identical. Quickstarts: merchants, platforms.