# 2. Prepare your Sandbox environment

Set up the Sandbox environment to test the integration before you push it to the production environment.

## Set up sandbox

### Generate a CSR

1. Open the **Sandbox authentication** tab in the [Developer Portal](https://developer.revolut.com/portal/signin), and copy the suggested command to generate a Certificate Signing Request (CSR).
2. Open a CLI, and paste the `openssl` command to generate a CSR.

You may also create the CSR using the command below, by providing your own application name:
```shell
openssl req -new -newkey rsa:2048 -nodes -out revolut.csr -keyout private.key -subj '/C=GB/ST=/L=/O=<YOUR APP NAME>/OU=001580000103UAvAAM/CN=2kiXQyo0tedjW2somjSgH7' -sha256 -outform der
```

### Configure Sandbox authentication

1. On the **Sandbox authentication** tab, fill in the `Redirect URLs`.
2. Click **Upload CSR file**, navigate to the CSR you just generated and upload it.
3. Click **Continue**.

The **Overview** tab of your application in the Developer Portal displays a `Client ID` you can use in the Sandbox environment.

:::tip [Deploying a Production application]
If you have an [OBIE/eIDAS certificate](/docs/guides/build-banking-apps/introduction-to-the-open-banking-api/global-customer-access-controls#certificate-types), you can upload the certificate in the Developer Portal and register a production application without any further approval from Revolut.
In return, you receive a `client_id` that you can use to make requests with our API.
:::

:::note [Becoming a Partner]
If you are looking to become a Revolut Partner, you must submit a request for your application to be approved via the Developer Portal.
On successful approval, you receive production certificates to use with our API.
:::

### Download sandbox credentials

1. Navigate to your application settings in the Developer Portal.
2. Click **Download sandbox certificates**.
3. Place the downloaded certificates `signing.der` and `transport.der` in the directory where you stored your own certificate in the [Generate CSR](#generate-a-csr) step.

### Convert certificates

You need to convert the signing and transport certificates to `*.pem` format:

```shell
openssl x509 -inform der -in transport.der -out transport.pem
openssl x509 -inform der -in signing.der -out signing.pem
```

:::note
Your certificate directory should now contain these 6 files:
- 1 certificate signing request file in `*.csr`
- 1 private key file in `*.key`
- 1 transport certificate in `*.der`
- 1 transport certificate in `*.pem`
- 1 signing certificate in `*.der`
- 1 signing certificate in `*.pem` 
:::

### Add a JWK

:::tip
A JWK is not required for the Partner API [scopes](/docs/guides/build-banking-apps/get-started/register-your-application-in-the-developer-portal#create-a-new-app) (Draft Payments).
If your application only needs access to these scopes, you can skip this step.
:::

To add a JWK, you must [generate](#generate-the-jwk) it, [validate](#validate-your-jwk) it (optional, but recommended), and then [set up a JWK endpoint](#set-up-jwk-endpoint) with the URL under which you made it public. 

#### Generate the JWK

1. Create a JSON file in a text editor with the following structure:
   ```json
   {
     "keys": [
       {
         "e": "AQAB",
         "n": "<your n claim value>",
         "kid": "<your KID value>",
         "kty": "RSA",
         "use": "sig",
         "x5c": [
           "<your base64-encoded signing certificate>"
         ]
       }
     ]
   }
   ```
2. Generate the **n claim** value by running the following command in the directory where you store your certificates:
   ```shell
   openssl x509 -noout -modulus -in signing.pem | cut -c 9- | xxd -r -p | base64 | tr '/+' '_-' | tr -d '='
   ```
3. Paste the generated `n claim` value in the corresponding JSON key.
4. Copy the content of your `signing.pem` certificate with no line breaks, header or footer and enter it into the `x5c` parameter.
   You can obtain the `signing.pem` certificate with the following command:
   ```shell
   sed -E '/(^-----[A-Z ]+-----$)/d' signing.pem | tr -d '\n'
   ```
5. Type in a value of your choice for the `kid` key.
6. Save the JSON file and make it available on an address which can be publicly resolved.
   :::tip
   For testing purposes, you may host the JSON content on [Pastebin](https://pastebin.com) and use a public address such as `https://pastebin.com/raw/{your bin}`.
   :::
7. [Verify](/docs/guides/build-banking-apps/register-your-application-using-dcr/get-the-jwks-url#verify-that-your-jwks-url-is-publicly-accessible) that your JWKs URL is publicly accessible and the content is properly encoded.

#### Validate your JWK

You can validate your JWK using the [JWK / JWKS / PEM Converter](https://dailydevelopertools.com/jwk-jwks-pem-converter.html) or by checking that the key structure matches the [supported key types](/docs/guides/build-banking-apps/register-your-application-using-dcr/get-the-jwks-url#supported-key-types).

#### Set up JWK endpoint

1. Navigate to your application settings in the Developer Portal.
2. Click the **Set up JWKs endpoint** widget.
3. Type in the address of the JWK in the **JWKs URL** field.

## What's next

You are ready to start requesting user consents and make API calls to our endpoints. For more information, see our [tutorials](/docs/guides/build-banking-apps/tutorials/get-account-and-transaction-information) to walk you through the steps for different use cases.

You can also [set up the production environment](/docs/guides/build-banking-apps/get-started/setup-prod-environment) for your application.