Teste a integracao do seu app contra o sandbox Venddor antes de ir ao ar.
O Venddor fornece um ambiente sandbox completo para testes. O sandbox tem dados de demonstracao e nao afeta lojas reais.
| Ambiente | URL | Uso |
|---|---|---|
| Sandbox | https://sandbox.api.io.venddor.com.br | Desenvolvimento e testes |
| Producao | https://api.io.venddor.com.br | Apps em producao |
Ao criar um app no portal do desenvolvedor, voce automaticamente recebe credenciais de sandbox. Use-as para testar antes de ir ao ar:
# Sandbox test credentials (from your developer dashboard)
export VENDDOR_API_URL="https://sandbox.api.io.venddor.com.br"
export CLIENT_ID="your_sandbox_client_id"
export CLIENT_SECRET="your_sandbox_client_secret"
export TEST_TENANT_ID="sandbox-demo-tenant"
# Quick test: list products from sandbox
curl -H "Authorization: Bearer $TEST_TOKEN" \
-H "X-Tenant-ID: $TEST_TENANT_ID" \
"$VENDDOR_API_URL/api/storefront/products"O sandbox inclui dados de demonstracao: 50 produtos, 20 pedidos, 10 clientes, 5 categorias.
Teste o fluxo OAuth completo no sandbox antes de ir a producao:
| # | Teste | Resultado esperado |
|---|---|---|
| 1 | Redirecione para /oauth/authorize | Pagina de autorizacao exibida |
| 2 | Aprove os escopos | Redirect para sua callback URL com ?code=... |
| 3 | Troque codigo por token | access_token e refresh_token retornados |
| 4 | Use token para chamar API | Dados retornados com sucesso |
| 5 | Use token expirado | HTTP 401 retornado |
| 6 | Refresh o token | Novo access_token retornado |
| 7 | Use state invalido | Erro de CSRF detectado |
# Test token exchange
curl -X POST "$VENDDOR_API_URL/oauth/token" \
-H "Content-Type: application/json" \
-d '{
"grant_type": "authorization_code",
"client_id": "'$CLIENT_ID'",
"client_secret": "'$CLIENT_SECRET'",
"code": "AUTH_CODE_FROM_CALLBACK",
"redirect_uri": "https://localhost:3000/auth/callback"
}'
# Test token refresh
curl -X POST "$VENDDOR_API_URL/oauth/token" \
-H "Content-Type: application/json" \
-d '{
"grant_type": "refresh_token",
"client_id": "'$CLIENT_ID'",
"client_secret": "'$CLIENT_SECRET'",
"refresh_token": "YOUR_REFRESH_TOKEN"
}'Teste cada endpoint que seu app utiliza. Verifique tanto cenarios de sucesso quanto de erro:
# Set up test environment
API="https://sandbox.api.io.venddor.com.br"
AUTH="Authorization: Bearer $TOKEN"
TENANT="X-Tenant-ID: $TENANT_ID"
# Test: List products (should return 200)
curl -s -w "\nHTTP Status: %{http_code}\n" \
-H "$AUTH" -H "$TENANT" "$API/api/storefront/products"
# Test: Get non-existent product (should return 404)
curl -s -w "\nHTTP Status: %{http_code}\n" \
-H "$AUTH" -H "$TENANT" "$API/api/storefront/products/nonexistent-id"
# Test: Create product without required field (should return 400)
curl -s -w "\nHTTP Status: %{http_code}\n" -X POST \
-H "$AUTH" -H "$TENANT" -H "Content-Type: application/json" \
-d '{"description": "no name field"}' \
"$API/api/admin/products"
# Test: Access without token (should return 401)
curl -s -w "\nHTTP Status: %{http_code}\n" \
-H "$TENANT" "$API/api/admin/products"
# Test: Access scope you don't have (should return 403)
curl -s -w "\nHTTP Status: %{http_code}\n" \
-H "$AUTH" -H "$TENANT" "$API/api/admin/settings"Use ferramentas como ngrok ou webhook.site para testar webhooks localmente:
# Option 1: Use ngrok to expose your local server
ngrok http 3000
# Copy the ngrok URL (e.g., https://abc123.ngrok.io)
# Register it as webhook URL in your developer dashboard
# Option 2: Use webhook.site for quick testing
# Go to https://webhook.site and copy your unique URL
# Register it as webhook URL in your developer dashboard
# Option 3: Trigger a test webhook from the API
curl -X POST "$API/api/developers/apps/YOUR_APP_ID/webhooks/test" \
-H "$AUTH" \
-H "Content-Type: application/json" \
-d '{
"event": "order.created",
"webhook_url": "https://your-ngrok-url.ngrok.io/webhooks/venddor"
}'// Webhook signature verification (Node.js)
const crypto = require('crypto');
function verifyWebhookSignature(payload, signature, secret) {
const expected = 'sha256=' + crypto
.createHmac('sha256', secret)
.update(payload)
.digest('hex');
return crypto.timingSafeEqual(
Buffer.from(signature),
Buffer.from(expected)
);
}
// In your webhook handler:
app.post('/webhooks/venddor', express.raw({ type: 'application/json' }), (req, res) => {
const signature = req.headers['x-venddor-signature'];
if (!verifyWebhookSignature(req.body, signature, CLIENT_SECRET)) {
return res.status(401).send('Invalid signature');
}
const event = JSON.parse(req.body);
// Process the event...
res.status(200).send('OK');
});| Erro | Causa | Solucao |
|---|---|---|
| 401 Unauthorized | Token expirado ou invalido | Use refresh_token para obter novo access_token |
| 403 Forbidden | Escopo insuficiente | Solicite os escopos necessarios durante OAuth |
| 404 Not Found | Recurso nao existe ou pertence a outro tenant | Verifique o ID e o X-Tenant-ID |
| 429 Rate Limited | Muitas requisicoes | Implemente backoff exponencial |
| CORS error | Chamando API do browser | Use um proxy server-side. A API nao suporta CORS direto. |
| Invalid state | Parametro state nao confere | Gere um state unico por sessao e valide no callback |
Antes de publicar seu app no marketplace, verifique todos os itens: