Access and Credentials
Your Technical Account Manager provides sandbox credentials — a client_id and client_secret — during kickoff. API and SFTP credentials are separate, and both are separate from your production credentials.| Sandbox | Production | |
|---|---|---|
| API base | https://api.sandbox.lead.bank | https://api.lead.bank |
| SFTP host | sftp.sandbox.lead.bank | sftp.lead.bank |
| Port | 22 | 22 |
| Credentials | Provided at kickoff | Issued after go-live approval |
| Real money | No | Yes |
No Credentials?If you do not have credentials, contact your Technical Account Manager.
Set Up Your Integration
Lead supports three integration paths. Your sandbox setup covers whichever paths apply to your program — most partners use a hybrid approach of API and file.API Only
If your program uses APIs exclusively, sandbox setup requires:- Lead issues your
client_idandclient_secretfor the sandbox API. - You register your webhook endpoint URL with your Technical Account Manager.
- You configure your IP allowlist with your Technical Account Manager.
File Only (SFTP)
If your program uses SFTP file delivery exclusively, sandbox setup requires:- Generate an SSH keypair:
ssh-keygen -t ed25519 -C "lead-integration" -f lead_sftp_key - Send your public key to your Implementation Manager as plain text.
- Verify Lead’s sandbox host fingerprint:
ssh-keyscan sftp.sandbox.lead.bank 2>&1 | ssh-keygen -lf -- Expected:
2048 SHA256:rCdk4LeHvxn5G3j7VDJvqH6oEMh844E7sHxoaxih2dE sftp.sandbox.lead.bank (RSA)
- Expected:
- Add Lead’s key to your known hosts:
ssh-keyscan sftp.sandbox.lead.bank >> ~/.ssh/known_hosts - Connect:
sftp -v -i ~/.ssh/your_key username@sftp.sandbox.lead.bank
- Read/Write: Folders where you are the submitter (customer, accounts, balances, transactions, etc.)
- Read Only: Folders where Lead is the submitter (bank-account-reports, ach/incoming, etc.)
Hybrid (Most Common)
Most programs use APIs for real-time money movement and entity onboarding, and SFTP files for daily reporting and reconciliation. Complete both the API and file setup steps above.What is Simulated
All payment rails are available in sandbox, but no transactions submit to real networks. ACH entries do not go to the Fed, wires do not move through Fedwire or Swift, and FedNow payments do not reach real receiving institutions. SFTP files are validated against your schema but do not trigger real reconciliation or settlement. Because sandbox transactions do not follow real network timing, Lead provides simulation endpoints that let you advance a transfer through its lifecycle states manually. These endpoints exist only in sandbox — they return 404 in production.| Action | Endpoint |
|---|---|
| Advance an ACH through states | POST /v1/simulations/advance_ach |
| Trigger an inbound ACH | POST /v1/simulations/incoming_ach |
| Advance a wire through states | POST /v1/simulations/advance_wire |
| Trigger an inbound wire | POST /v1/simulations/incoming_wire |
| Trigger and inbound instant payment | POST /v1/simulations/incoming_instant_payment |
Key Differences From Production
Transactions do not auto-advance.
Transactions do not auto-advance.
In production, an ACH moves from created → submitted → posted on real network timing. In sandbox, status stays at created until you call advance_ach. This applies to all rails. Use the simulation endpoints to move transfers through their states and test your webhook handlers and status-polling logic.
International wires reach accepted but do not settle automatically.
International wires reach accepted but do not settle automatically.
Payments move to accepted status but do not advance further without manual simulation. Use
POST /v1/simulations/advance_wire to move them through the remaining states.KYC and OFAC are not enforced.
KYC and OFAC are not enforced.
Sandbox accepts placeholder screening results — you can pass “result”: “approved” and “result”: “clear” without running a real identity check. In production, your screening results must reflect actual verification.
Rate limits are looser.
Rate limits are looser.
Sandbox has higher per-minute request limits than production to support active integration work. Production limits are set per program and defined in your contract.
Simulation endpoints return 404 in production.
Simulation endpoints return 404 in production.
Any path under /simulations is sandbox-only. Do not call these endpoints in production.
SFTP file validation runs but does not trigger reconciliation.
SFTP file validation runs but does not trigger reconciliation.
Files you submit in sandbox are validated against your schema and will surface errors the same way production does — but they do not feed real reconciliation or accounting processes.
Data Persistence and Resets
Entities, accounts, and account numbers you create persist until you request a reset. If you need to reset your sandbox environment — for example, before a new test phase or to clear conflicting test data — contact your Technical Account Manager.What to Test Before Go-Live
Before go-live, complete testing for each of the following:- Create entities, including KYC and OFAC fields
- Create accounts and account numbers
- Send and receive payments for each contracted rail
- Trigger and handle returns and reversals
- Receive and process webhook events
- Submit SFTP files and confirm schema validation passes
- Handle common error responses (401, 403, 409, 422)