Environments & Testing
Sandbox environment
Section titled “Sandbox environment”The sandbox is an isolated environment pre-populated with demo locations, menus, and catalog data. It’s where you develop and test before touching live accounts.
Base URL: https://gotab.io (same host — sandbox is account-scoped, not a separate domain)
To get sandbox access, email api.support@gotab.io with a brief description of your integration. GoTab will create your sandbox account and send an SMS verification to your registered mobile number.
Once verified, log in to the Integration Dashboard to retrieve your sandbox api_access_id and api_access_secret.
Production environment
Section titled “Production environment”Base URL: https://gotab.io (same as sandbox — credentials determine which account is accessed)
Production credentials are provisioned separately after your integration is reviewed. Work with your GoTab API support contact to upgrade from sandbox to production access.
Production credentials are scoped to the specific GoTab accounts that authorize your application via OAuth.
Sandbox vs production differences
Section titled “Sandbox vs production differences”| Feature | Sandbox | Production |
|---|---|---|
| Data | Pre-populated demo data | Live account data |
| Payments | Test mode — no real charges | Live charges |
| Rate limits | Same as production | Same as sandbox |
| Webhooks | Fully functional | Fully functional |
| OAuth flows | Fully functional | Fully functional |
| Location count | One demo location | All authorized locations |
Testing best practices
Section titled “Testing best practices”Use the demo location data — Sandbox accounts come with demo locations, zones, menus, and catalog items. Don’t delete this data; use it as a stable baseline.
Test all OAuth paths — Run through both the client credentials grant and authorization code flows in the sandbox before going live. The OAuth portal works identically in both environments.
Test your webhook handler locally — Use a tunneling tool like ngrok or cloudflared to expose a local server and configure it as your webhook endpoint in the Integration Dashboard. Verify the X-GoTab-Signature header against your secret before trusting any payload.
Verify your retry logic — Intentionally send malformed requests and expired tokens to confirm your error handling works. See Error Handling for retryable vs non-retryable patterns.
Test pagination edge cases — Query with small limit values (e.g. first: 2) to force multi-page results and verify your pagination loop terminates correctly.
Going live checklist
Section titled “Going live checklist”Before switching to production credentials:
- All API calls use environment variables for
api_access_idandapi_access_secret— no hardcoded secrets - Token refresh is implemented and tested (tokens expire after 24 hours)
- 401 responses trigger a token refresh and retry, not a crash
- 429 responses are handled with
Retry-Afterbackoff - Webhook signature verification is enabled and tested
- Your redirect URL is registered in the Integration Dashboard
- Integration has been reviewed with your GoTab API support contact
See also
Section titled “See also”- Create API Credentials — Sandbox setup and credential retrieval
- Authentication — Exchanging credentials for a Bearer token
- Error Handling — How to handle API errors gracefully
- Webhooks — Configuring and verifying webhook delivery