> ## Documentation Index
> Fetch the complete documentation index at: https://docs.doshi.app/llms.txt
> Use this file to discover all available pages before exploring further.

# Environments

> Production and sandbox hosts for the Doshi embed and API

## Overview

Doshi runs two environments: **production** and **sandbox**. Sandbox is a fully
isolated environment for testing your integration without touching production
data.

Each environment has its own embed host (the iframe / webview URL) and its own
API host. The API hosts are already selectable from the server dropdown in the
[Client API reference](/api-reference) — sandbox embed works the same way, just
with a different host.

## Hosts

| Environment | Embed (iframe / webview)          | API                             |
| ----------- | --------------------------------- | ------------------------------- |
| Production  | `https://embed.v2.doshi.app`      | `https://api.doshi.app`         |
| Sandbox     | `https://sandbox.embed.doshi.app` | `https://sandbox.api.doshi.app` |

## Switching to sandbox

<Note>
  Your **client token is the same in both environments** — there's no separate
  sandbox key. To test against sandbox, just point the iframe at
  `https://sandbox.embed.doshi.app`. Nothing else in your integration changes.
</Note>

```js theme={null}
// Production
const embedUrl = "https://embed.v2.doshi.app";

// Sandbox
const embedUrl = "https://sandbox.embed.doshi.app";
```

The code examples throughout these docs use the production host. Swap in the
sandbox host wherever you see `embed.v2.doshi.app` to run against sandbox.

## One thing to watch: origin checks

If you point the iframe at sandbox, the origin you verify in your `message`
listener — and the `targetOrigin` you pass to `postMessage` — must match the
**sandbox** host. A listener hardcoded to `https://embed.v2.doshi.app` will
silently reject messages coming from `https://sandbox.embed.doshi.app`.

The simplest approach is to allow both hosts:

```javascript theme={null}
const allowedOrigins = [
  "https://embed.v2.doshi.app",        // Production
  "https://sandbox.embed.doshi.app",   // Sandbox
];

window.addEventListener("message", (event) => {
  if (!allowedOrigins.includes(event.origin)) {
    console.warn("Rejected message from unauthorized origin:", event.origin);
    return;
  }

  // Process message
});
```

See [Security](/webview/security) for the full origin-verification guidance.

## Next Steps

<CardGroup cols={2}>
  <Card title="Quick Start" icon="rocket" href="/webview/quickstart">
    Complete walkthrough with examples
  </Card>

  <Card title="Security" icon="shield" href="/webview/security">
    Origin verification and token handling
  </Card>
</CardGroup>