Sandbox PayPal — Wajib Sebelum Go-Live buat Developer Indonesia
Lo developer Indonesia. Mau integrate PayPal checkout ke web app client atau SaaS sendiri. Langsung production testing? Bad idea. Bikin charge real buat test = fee + audit trail berantakan.
Solution: PayPal Sandbox. Environment terpisah, dummy account, fake card, simulate event lengkap. Test sebanyak yang lo mau tanpa cost.
Panduan ini bahas cara setup + workflow sandbox PayPal buat developer Indonesia.
Singkatnya: Sandbox = environment test PayPal. Sandbox account + dummy card + webhook nganggur biar integrasi lo production-ready tanpa fee. Butuh bantu integrate PayPal? Chat ChatBot Cell.
1. Apa Itu PayPal Sandbox?
Konsep Dasar
- Sandbox = replika PayPal production
- Same API endpoints (tapi
api-m.sandbox.paypal.combukanapi-m.paypal.com) - Same SDK + integration pattern
- Different account universe (sandbox account nggak ketemu production account)
Apa yang Bisa Di-Test
- Checkout flow (PayPal + card + Apple Pay)
- Subscription / recurring
- Refund + partial refund
- Dispute + chargeback simulation
- Webhook event (semua jenis)
- IPN (legacy)
- Payouts / Mass Payment
- Invoicing
- Identity (login with PayPal)
Yang Nggak Bisa di Sandbox
- Real bank withdrawal (semua dummy)
- Real FX rate (simulated)
- Real fraud detection (looser rules)
- 3DS challenge (must manually trigger)
2. Setup Sandbox Account
Step 1: Daftar PayPal Developer Account
- Visit developer.paypal.com
- Login pakai PayPal personal lo (boleh Indonesia account)
- Akses Dashboard → My Apps & Credentials
- Tab Sandbox (default aktif)
Step 2: Buat Sandbox Business Account
- Menu Sandbox → Accounts → Create Account
- Type: Business (Pro) buat test merchant
- Country: Indonesia (atau US buat test generic)
- Email: dummy (
test-merchant@example.com— nggak harus real) - Password: sandbox-only (e.g.
Test1234!) - Bank: dummy (auto-filled)
- Funding source: dummy card auto-generated
Step 3: Buat Sandbox Personal Account
- Repeat step 2, type Personal
- Buat 2-3 personal account (different funding source)
- Ini buat simulate buyer dengan profile berbeda
Step 4: Generate API Credentials
- Menu My Apps & Credentials → Sandbox
- Click Create App
- App name:
test-store-dev - Type: Merchant
- Sandbox business account: pilih yang barusan dibuat
- Features: enable yang relevant (Payment, Subscription, Invoicing, dll)
- Save → dapat Client ID + Secret
⚠ Jangan share Secret ke public repo. Pakai .env.local + gitignore.
3. Environment Variables
Next.js / Node.js Setup
# .env.local (development)
PAYPAL_ENV=sandbox
PAYPAL_CLIENT_ID=ATmxZ...sandbox-client-id
PAYPAL_CLIENT_SECRET=EGj3...sandbox-secret
PAYPAL_WEBHOOK_ID=WH-XXXXXXX...
PAYPAL_API_BASE=https://api-m.sandbox.paypal.com
# .env.production
PAYPAL_ENV=live
PAYPAL_CLIENT_ID=AZxY...live-client-id
PAYPAL_CLIENT_SECRET=EGj3...live-secret
PAYPAL_WEBHOOK_ID=WH-YYYYYYY...
PAYPAL_API_BASE=https://api-m.paypal.com
Pattern Code
const isLive = process.env.PAYPAL_ENV === "live";
const apiBase = process.env.PAYPAL_API_BASE;
const clientId = process.env.PAYPAL_CLIENT_ID;
const clientSecret = process.env.PAYPAL_CLIENT_SECRET;
async function getAccessToken() {
const auth = Buffer.from(`${clientId}:${clientSecret}`).toString("base64");
const res = await fetch(`${apiBase}/v1/oauth2/token`, {
method: "POST",
headers: {
Authorization: `Basic ${auth}`,
"Content-Type": "application/x-www-form-urlencoded",
},
body: "grant_type=client_credentials",
});
const data = await res.json();
return data.access_token;
}
4. Test Card Numbers Sandbox
Visa Test Cards
| Card Number | Scenario |
|---|---|
4032035796248364 |
Visa valid, success |
4012000033330026 |
Visa, 3-D Secure required |
4000000000000002 |
Card declined (generic) |
4000000000000010 |
Insufficient funds |
4000000000000028 |
Lost card |
4000000000000036 |
Stolen card |
4000000000000044 |
Expired card |
4000000000000051 |
CVV mismatch |
Mastercard Test Cards
| Card Number | Scenario |
|---|---|
5425233430109903 |
Master valid, success |
5200000000000007 |
Generic decline |
Amex Test Cards
| Card Number | Scenario |
|---|---|
378282246310005 |
Amex success |
CVV + Expiration
- CVV:
123(Visa/MC) atau1234(Amex) - Expiration: any future date (e.g.
12/30) - Name: any
- Address + zip: any (skip AVS)
5. Test Workflow: Checkout
Manual Testing (Browser)
- Open sandbox checkout URL (your dev site)
- Login sandbox buyer account (atau pake test card)
- Complete purchase
- Verify:
- Money deducted from buyer sandbox
- Money added to merchant sandbox (minus fee)
- Webhook received
- Order status updated
Automated Testing (Cypress / Playwright)
// cypress/e2e/paypal-checkout.cy.ts
describe("PayPal Checkout", () => {
it("completes PayPal payment", () => {
cy.visit("/checkout");
cy.get("[data-cy=paypal-button]").click();
// Switch to PayPal popup window
cy.origin("https://www.sandbox.paypal.com", () => {
cy.get("#email").type("test-buyer@example.com");
cy.get("#password").type("Test1234!");
cy.get("#btnLogin").click();
cy.get("#confirmButtonTop", { timeout: 15000 }).click();
});
// Verify success page
cy.url().should("include", "/order/success");
cy.contains("Terima kasih").should("be.visible");
});
});
6. Webhook Testing
Promo seru yang cocok buat kamu
Penawaran pilihan dari mitra kami — klik buat lihat detail.
Mengandung link afiliasi. Baca disclaimer.
Step 1: Expose Local ke Internet
Pakai ngrok atau cloudflared:
ngrok http 3000
# dapat URL seperti https://abc123.ngrok.io
Step 2: Setup Webhook di Sandbox Dashboard
- App → Sandbox Webhooks → Add Webhook
- URL:
https://abc123.ngrok.io/api/paypal/webhook - Events: select yang dibutuhkan (Payment capture, Subscription, Dispute, dll)
Step 3: Test Send
Dashboard ada "Send Test Event" — pilih event type, kirim. Verify lo receive di endpoint.
Step 4: Verify Signature (Production Code)
import paypal from "@paypal/checkout-server-sdk";
async function verifyWebhook(headers, body) {
const request = new paypal.notifications.WebhookVerifySignatureRequest();
request.requestBody({
auth_algo: headers["paypal-auth-algo"],
cert_url: headers["paypal-cert-url"],
transmission_id: headers["paypal-transmission-id"],
transmission_sig: headers["paypal-transmission-sig"],
transmission_time: headers["paypal-transmission-time"],
webhook_id: process.env.PAYPAL_WEBHOOK_ID,
webhook_event: body,
});
const response = await client.execute(request);
return response.result.verification_status === "SUCCESS";
}
⚠ Critical: Always verify signature. Kalau nggak, attacker bisa trigger webhook fake.
7. Simulate Dispute + Chargeback
Sandbox Dispute Tool
- Dashboard → Sandbox → Test Disputes (atau via REST API)
- Pilih transaction sandbox
- Choose dispute type:
- MERCHANDISE_NOT_RECEIVED (INR)
- SIGNIFICANTLY_NOT_AS_DESCRIBED (SNAD)
- UNAUTHORIZED (claim dari buyer)
- Submit → simulate event
- Webhook
CUSTOMER.DISPUTE.CREATEDfires
Test Response Flow
- Receive webhook dispute
- Update order status internal
- Seller respond via API atau manual
- Submit evidence (tracking, communication)
- Resolve → webhook
CUSTOMER.DISPUTE.RESOLVED
8. Go-Live Checklist
Pre-Launch
- Switch
PAYPAL_ENVdarisandbox→live - Update API credentials (live client ID + secret)
- Update webhook URL (production domain)
- Update webhook ID (live)
- Test order $0.01 real money
- Verify webhook live (real signature)
- Verify refund flow
- Verify dispute response flow
Code Quality
- All hardcoded test card removed
- All
console.logsensitive data removed - Webhook signature verification ON
- Error handling informative (tapi nggak leak secret)
- Logging webhook event buat audit
- Idempotency key di prevent double-charge
Compliance
- HTTPS wajib (HTTP redirect)
- PCI DSS SAQ-A (PayPal Smart Button = scope minimal)
- Privacy policy mention PayPal
- Terms mention refund policy
- Cookie consent (GDPR-style) untuk EU buyer
9. Studi Kasus — Indonesia SaaS Developer
Profil: Bagus, fullstack dev Indonesia. Build SaaS billing $19/month subscription. Tech: Next.js 14 + PostgreSQL + PayPal Subscription.
Workflow Sandbox
- Day 1-2: Setup sandbox account + API credentials + Next.js env
- Day 3-4: Implement checkout flow (Smart Button + server create order)
- Day 5-6: Webhook listener (subscription activated, payment failed, dll)
- Day 7: Subscription + dunning test (simulate failed payment)
- Day 8: Refund + cancellation flow
- Day 9: Dispute simulation + response automation
- Day 10: E2E test (Cypress) — full user journey
Bug Found di Sandbox
- Webhook kadang delay 5-10 detik → fixed dengan idempotent handler
- Smart Button styling broken di Safari mobile → fixed dengan explicit
styleconfig - Subscription trial period nggak honored → fix API parameter
trial_period
Go-Live Outcome
- Real customer test: $19 first subscription successful
- Webhook live fire in <2 seconds
- 0 production issue first week
- Conversion rate: 4.2% visit → paid
Lesson: Sandbox testing ekstensif = go-live smooth tanpa production fire drill.
10. Tools Stack Developer PayPal
SDK + Library
- @paypal/paypal-js: client SDK loader (modern)
- @paypal/checkout-server-sdk: server SDK (legacy, masih ok)
- @paypal/react-paypal-js: React wrapper modern
- paypal-rest-sdk: legacy Node, deprecated
API Client
- Postman: PayPal API collection (official)
- Insomnia: alternative
- VS Code REST Client: lightweight
Testing
- ngrok: tunnel webhook local → internet
- Cypress: E2E test
- Playwright: alternative E2E
- Vitest / Jest: unit test webhook handler
Monitoring
- Sentry: error tracking
- LogRocket: session replay
- Datadog: APM + log
11. Common Mistake Developer Sandbox
Mistake 1: Hardcode Sandbox Credential
Mistake: commit .env dengan sandbox credential ke GitHub.
Fix: .gitignore + .env.example placeholder.
Mistake 2: Nggak Verify Webhook Signature
Mistake: trust webhook masuk, proses refund otomatis. Fix: always verify signature. Attacker bisa forge webhook.
Mistake 3: Test dengan Real Card di Production
Mistake: test pakai real card di live env. Fix: always sandbox first. Production test cuma $0.01 once.
Mistake 4: Webhook URL HTTP
Mistake: webhook URL http://localhost:3000 (PayPal reject).
Fix: HTTPS wajib. Pakai ngrok untuk local dev.
Mistake 5: Nggak Handle Webhook Delay
Mistake: assume webhook real-time. Fix: idempotent handler + reconcile via API polling fallback.
Mistake 6: Skip Dispute Simulation
Mistake: nggak pernah test dispute di sandbox. Fix: simulate dispute minimal 1x sebelum go-live.
Mistake 7: Skip Edge Case
Mistake: cuma test happy path. Fix: test card decline, 3DS challenge, refund, partial refund, currency conversion.
12. Tips Pro Developer PayPal Indonesia
1. Pakai @paypal/react-paypal-js
- Modern React wrapper
- TypeScript first
- Auto-loading SDK
- Less boilerplate
2. Implement Idempotency
const orderId = crypto.randomUUID();
const response = await fetch("/api/paypal/create-order", {
method: "POST",
headers: { "Idempotency-Key": orderId },
body: JSON.stringify({ cart }),
});
PayPal support PayPal-Request-Id header buat prevent double-charge.
3. Log Webhook Raw Body
- Simpan raw JSON webhook di DB atau S3
- Berguna buat debugging + audit
- Set retention 90 hari minimum
4. Implement Reconciliation Job
- Cron daily: compare webhook events vs DB records
- Alert kalau ada drift
- Catch missed webhook
5. Monitor Conversion Rate
- Setup funnel analytics (GA4 atau Posthog)
- Step: checkout-view → click-paypal → complete-payment
- Drop-off >30% = UX issue
6. A/B Test Button Placement
- Default: above the fold
- Test: sticky bottom mobile
- Test: 2-column layout (PayPal vs card)
7. Implement Customer Portal
- Self-service: view subscription, update card, cancel, invoice download
- Reduce support ticket
13. Checklist Setup Sandbox Developer
Setup Awal
- Daftar PayPal developer account
- Create sandbox business account
- Create sandbox personal account (2-3)
- Create App → dapat Client ID + Secret
- Setup
.env.localdengan sandbox credential - Setup ngrok / cloudflared
Integrasi
- Install SDK (
@paypal/react-paypal-js) - Implement create order endpoint
- Implement capture order endpoint
- Setup webhook endpoint + verify signature
- Test happy path (checkout success)
- Test decline path (test card 4000000000000002)
Advanced
- Test subscription lifecycle
- Test refund + partial refund
- Test dispute simulation
- Test webhook delay (simulate via manual delay)
- Implement idempotency
- Setup monitoring (Sentry, LogRocket)
Go-Live
- Switch env credentials
- Update webhook URL
- Test $0.01 real
- Monitor 7 hari pertama
- Setup alert webhook failure
14. FAQ Sandbox PayPal Indonesia
Q: Bisanya sandbox Indonesia developer?
A: Bisa. Gratis. No limit.
Q: Berapa lama sandbox account active?
A: Selamanya (selama account aktif).
Q: Apakah webhook sandbox reliable?
A: Kadang delay 10-30 detik. Production lebih cepat (1-3 detik).
Q: Bisanya test QRIS via PayPal sandbox?
A: Nggak. QRIS outside PayPal scope. Test via Midtrans sandbox.
Q: Bisanya test PayPal Indonesia local bank?
A: Nggak. Sandbox bank selalu US dummy.
15. Mitos vs Fakta Sandbox PayPal
Mitos 1: "Sandbox Behavior Sama Persis Production"
Fakta: 95% sama. Tapi fraud detection + 3DS lebih loose di sandbox.
Mitos 2: "Nggak Perlu Webhook Test di Sandbox"
Fakta: Wajib. Bug webhook paling sering muncul setelah go-live.
Mitos 3: "Live Test Sama Aman dengan Sandbox"
Fakta: Live test = real fee + audit trail. Minimize.
Mitos 4: "Credential Bisa Dipakai Lintas Env"
Fakta: Sandbox credential nggak work di live. Begitu juga sebaliknya.
Mitos 5: "Webhook Verify Optional"
Fakta: Critical security. Nggak verify = vulnerable ke forged webhook.
16. Verdict — Sandbox Testing = Wajib buat Production-Ready
Sandbox PayPal = infrastruktur wajib buat developer Indonesia yang integrate PayPal. Tanpa sandbox = go-live dengan bug + risk kehilangan customer.
Yang paling critical:
- Sandbox account + app credentials
- Webhook verify signature
- Test card list lengkap
- Dispute simulation
- Idempotency key
Yang perlu di-avoid:
- Hardcode credential
- Skip webhook verify
- Live test berulang
- Test happy path saja
- Nggak simulate dispute
Yang always do:
- Logging webhook raw
- Reconciliation job
- Monitoring conversion
- Update SDK rutin
- Audit security berkala
ChatBot Cell siap bantu setup PayPal integration + sandbox testing + webhook handler + production go-live. Plus AI Chatbot buat monitor webhook + alert anomaly + auto-recover failed payment. Konsultasi gratis.
