Bangladesh Payment Sandbox Environment Testing Guidelines

Bangladesh Payment Sandbox Environment Testing Guidelines

1. Overview

This guide provides developers and testers with detailed instructions for integration and testing in the sandbox environment of the Bangladesh Payment System. The sandbox environment simulates the behaviour of a real payment system, but does not involve actual money flows.

2. Obtaining access

2.1 Registration process

  • Step 1: AccessCentral Bank of Bangladesh (NBP) Developer Portal
  • Step 2: Fill in the developer registration form and provide the necessary documents (company registration certificate, tax ID, etc.)
  • Step 3: Waiting for review (usually takes 3-5 working days)

2.2 API Key Acquisition

After passing the review, you will receive:

  • Sandbox API key
  • Merchant ID/Test Account
  • API Documentation Access

3. Sandbox endpoint URLs

Type of service Sandbox URL
OAuth authentication https://api-sandbox.nbp.gov.bd/oauth/token
QR payments https://api-sandbox.nbp.gov.bd/qr/v1/payments
P2P transfers https://api-sandbox.nbp.gov.bd/payment/v1/transfers
Bill Payment https://api-sandbox.nbp.gov.bd/billpay/v1/payments

4. Test Credentials (for testing purposes only)

Merchant Account.

Merchant ID: TESTMERCH001 

API Key: sb_test_1234567890abcdefghijklmnopqrstuvwxyz

Customer account.

Mobile Wallet: +88017XXXXXXXXXX (use any number starting with +88017)

PIN:1234 (common to all test accounts)

5 . Sample Code for Common Trading Scenarios (Python)

import requests



# OAuth authentication to get token

auth_url = "https://api-sandbox.nbp.gov.bd/oauth/token"

headers = {

    "Content-Type": "application/x-www-form-urlencoded",

    "Authorization": "Basic [base64 encoded client_id:client_secret]"

}

data = {

    "grant_type": "client_credentials"

}

response = requests.post(auth_url, headers=headers, data=data)

access_token = response.json()["access_token"]



# QR Payment Request Example

qr_payload = {

    "merchantId": "[YOUR_MERCHANT_ID]",

    "amount":100,

    # ... Refer to API documentation for other required fields...

}



qr_headers={

   'Authorization': f'Bearer {access_token}',

   'Content-Type':'application/json'

}



qr_response=requests.post(

   'https://api-sandbox.nbp.gov.bd/qr/v1/payments',

   json=qr_payload.

   headers=qr_headers  

) 



print(qr_response.json())

6 . Error Handling and Debugging Tips

Common HTTP status codes.
-400 Bad Request → Check if the request format is correct.
-401 Unauthorized →Verify that your API key/OAuth token is valid and not expired
-403 Forbidden→Confirm that your merchant account has the permission to perform this operation.

Logging recommendations.

curl-v-X POST\ https:/... \

-"Authorisation:Bearer $TOKEN"\

-d@request_body.json>response.log

7 . Restrictions and quotas

The SandBox environment has the following limitations:
-The amount of a single transaction does not exceed Tk. 100,000 (BDT)
-Accumulated daily transactions not exceeding Tk. 500,000 per day
-Up to 30 API calls per minute

8 . Support channels

The following are ways to get help when you have a problem:
-Email.[email protected]
-Slack.NBP Developer Community
-Tel: +880XXXXXXX (Mon-Fri 9AM-5PM GMT+6)

Guidelines for testing the payment sandbox environment in Bangladesh (continued)

9. Test case design recommendations

9.1 Core payment scenarios

  • Successful Payment Process: Small amount (10 BDT), standard amount (500 BDT), boundary value (99,999 BDT)
  • failure scenario::
    • PIN Error Continuous Entry (Tested 3 times for locking mechanism)
    • Insufficient Balance Transactions
    • QR code expired transaction (default 15 minutes expiry)

9.2 API Validation Matrix

API method HTTP status code JSON Response Fields
POST /payments 201 Created transactionId, status: "PENDING"
GET /transactions/{id} 200 OK settlementAmount, feeDetails
DELETE /payments/{id} (refund) 202 Accepted reversalReference

10 . Local simulation tools

Docker image rapid deployment:

docker run -p8080:8080 nbp/sandbox-simulator:v2.4 \

-e MOCK_RESPONSE_DELAY=200ms \

-e FAILURE_RATE=5%

Configuration parameter description:

  • DELAY_MS: Analogue network delay (default 150ms)
  • FAILURE_RATE: percentage of automated failed requests (for stress testing)

11 . Security Compliance Requirements

The protective measures that must be realised:

  1. encrypted transmission: Mandatory use of TLS 1.2+ for all requests

    # Nginx Sample Configuration
    
ssl_protocols TLSv1.2 TLSv1.3.
    
ssl_ciphers HIGH:!aNULL:!MD5;

  2. Sensitive data desensitisation::

    # Python Log Filtering Example 
    
import logging 
    

    
class SensitiveDataFilter(logging.Filter).
    
    def filter(self, record).
    
        if 'pin' in record.getMessage().lower():
    
            return False  
    
        return True

3.Accreditation Enhancement Recommendations

POST /auth/token HTTP/1.

HOST : api-sandbox.nbp.gov.bd  

Authorization : Basic base64(client_id:SHA256(client_secret+timestamp))

x-timestamp :20240605t143812z

12 . Performance benchmark reference

Measured on AWS t3.xlarge instance.
-Average response time : 120±25ms (P95)
-Throughput: 220TPS (under sustained load)
-Cold start latency: 300-500ms extra for the first call

13 . Production switchover checklist

After completing the sandbox test, please confirm:

✅ [ ] IP whitelisting has been submitted to the NBP Ops team
✅ [ ] SSL certificate is issued by a trusted CA and has not expired
✅ [ ] Error Code processing coverage up to 100%
✅ [ ] Mock data and real accounts complete switchover

To obtain the full version of "Specification for Integration of Electronic Payment Systems in Bangladesh" in PDF, please send a formal request email to[email protected] , email subject format: "[API DOC REQUEST] {company name}"