I have created a production developer account, and of course it comes with a DUMMY merchant for me to test on.
Do I still run sandbox APIs or use production API to test?
if uses sandbox APIs, whats the different between sandbox merchant and production one?
Production and sandbox are separate environments. You need to use the sandbox URLs when testing on sandbox and the production URLs when testing on production. The APIs should be the same.
What you are seeing is the correct and expected behavior. What you are incorrect about is your assumption about the code. The code is never used to obtain merchant data. It (along with the app secret etc.) is only used to obtain an access token.
There are two flows. The first flow is when your app is set to TOKEN. This is less secure and the access token is directly in the redirect URL. We recommend that you only use this during testing.
The second flow is the OAuth flow, documentation for which I have previously linked. I recommend you read the documentation. This flow will be used when your application is set to CODE. In this flow the redirect URL contains a code. The code is used along with the app secret to obtain an access token. The access token is then used to make calls to obtain merchant data.
1 Person is following this question.
