TryMellon

Sandbox Mode

Test the SDK locally without credentials, API calls, or WebAuthn prompts.

Sandbox Mode

Sandbox mode lets you test the full register/authenticate flow without real API calls or WebAuthn prompts. The SDK returns a fixed session token immediately — no dashboard account required.

Enable sandbox

import { TryMellon, SANDBOX_SESSION_TOKEN } from '@trymellon/js';

const clientResult = TryMellon.create({
  appId: 'sandbox',
  publishableKey: 'sandbox',
  sandbox: true,
});

if (!clientResult.ok) throw clientResult.error;
const client = clientResult.value;

What changes in sandbox

BehaviorProductionSandbox
register()Calls API + WebAuthn ceremonyReturns instantly with SANDBOX_SESSION_TOKEN
authenticate()Calls API + WebAuthn ceremonyReturns instantly with SANDBOX_SESSION_TOKEN
validateSession()Calls APIStill calls the API — use a real token or mock this call
Events (on)Fire normallyFire normally (startsuccess)
Network requestsRequiredNone (except validateSession)

Use case: local development

Sandbox mode is ideal for:

  • Building your login/register UI before creating a TryMellon account
  • Running automated tests (unit, integration) without WebAuthn browser prompts
  • Demoing your app in environments without HTTPS

Custom sandbox token

By default, the SDK returns the exported SANDBOX_SESSION_TOKEN constant. You can override it:

const clientResult = TryMellon.create({
  appId: 'sandbox',
  publishableKey: 'sandbox',
  sandbox: true,
  sandboxToken: 'my-custom-dev-token',
});

Backend contract

Your backend must recognize the sandbox token only in development. Never accept it in production.

import { SANDBOX_SESSION_TOKEN } from '@trymellon/js';

function validateToken(token: string): boolean {
  if (process.env.NODE_ENV === 'development' && token === SANDBOX_SESSION_TOKEN) {
    return true; // Skip API validation in dev
  }
  // In production: always validate against TryMellon API
  return await callTryMellonValidateSession(token);
}

See Backend validation — sandbox section for the full pattern.

With framework hooks

Sandbox mode works transparently with all framework adapters:

// React — same hooks, same API, no WebAuthn prompts
const { execute: register, loading } = useRegister();
const result = await register({ externalUserId: 'test_user' });
// result.ok === true, result.value.sessionToken === SANDBOX_SESSION_TOKEN
<!-- Vue — same composables -->
<script setup>
const { execute: authenticate } = useAuthenticate();
const result = await authenticate({ externalUserId: 'test_user' });
// Works identically in sandbox
</script>