Testing Your Integration
The API Sandbox lets you exercise the real API from a browser, before writing a line of backend code.
api.phone.cobinar.com directly — the same worker your production backend talks to. There's no separate mock backend, so what you see there is exactly what your integration will get.
What each panel does
Health check
A single unauthenticated GET /v1/health — useful as a first sanity check that the API is reachable at all.
Send OTP / Verify OTP
Paste in an application's Client ID, Client Secret, and API Key — use a Test environment application so you're not consuming live rate limits — and the panel calls /v1/otp/send and /v1/otp/verify directly. A successful send auto-fills the request ID into the verify panel.
api.phone.cobinar.com, straight from your browser — the same as pasting them into curl. They're never sent anywhere else, logged, or stored past the page session. Still, prefer test-environment credentials here over live ones.
Webhook echo sandbox
Generates a temporary URL backed by /v1/sandbox/echo — a small, unauthenticated pair of endpoints on the same API worker. Register that URL as a webhook endpoint in the console, click Send test event there, and the delivery appears in the sandbox within a few seconds, headers and all. Bins expire after 10 minutes and keep only the last 10 deliveries.
Signature verifier
Runs entirely in your browser using the Web Crypto API — nothing is sent to any server for this one. Paste the raw payload a delivery contained, its x-cobinar-signature value, and your Webhook Secret; the page computes the same HMAC-SHA256 the platform used and tells you whether it matches. If it matches here, the same logic in your own backend (see Webhooks) will also verify correctly.
Why this needed only two new API routes, not a new service
Everything except the webhook-echo bins was already exposed by the production API — sending and verifying OTPs, and testing a registered webhook, are things the platform already does. The only genuinely new server-side capability the sandbox required was somewhere to receive a webhook delivery without you having deployed your own server yet, which is what POST /v1/sandbox/echo and /v1/sandbox/echo/:id provide — two small, heavily rate-limited, short-lived routes added to the existing API worker.