Skip to main content

Overview

Doshi runs two environments: production and sandbox. Sandbox is a fully isolated environment for testing your integration without touching production data. Each environment has its own embed host (the iframe / webview URL) and its own API host. The API hosts are already selectable from the server dropdown in the Client API reference — sandbox embed works the same way, just with a different host.

Hosts

EnvironmentEmbed (iframe / webview)API
Productionhttps://embed.v2.doshi.apphttps://api.doshi.app
Sandboxhttps://sandbox.embed.doshi.apphttps://sandbox.api.doshi.app

Switching to sandbox

Your client token is the same in both environments — there’s no separate sandbox key. To test against sandbox, just point the iframe at https://sandbox.embed.doshi.app. Nothing else in your integration changes.
// Production
const embedUrl = "https://embed.v2.doshi.app";

// Sandbox
const embedUrl = "https://sandbox.embed.doshi.app";
The code examples throughout these docs use the production host. Swap in the sandbox host wherever you see embed.v2.doshi.app to run against sandbox.

One thing to watch: origin checks

If you point the iframe at sandbox, the origin you verify in your message listener — and the targetOrigin you pass to postMessage — must match the sandbox host. A listener hardcoded to https://embed.v2.doshi.app will silently reject messages coming from https://sandbox.embed.doshi.app. The simplest approach is to allow both hosts: 
const allowedOrigins = [
  "https://embed.v2.doshi.app",        // Production
  "https://sandbox.embed.doshi.app",   // Sandbox
];

window.addEventListener("message", (event) => {
  if (!allowedOrigins.includes(event.origin)) {
    console.warn("Rejected message from unauthorized origin:", event.origin);
    return;
  }

  // Process message
});
See Security for the full origin-verification guidance.

Next Steps

Quick Start

Complete walkthrough with examples

Security

Origin verification and token handling