Test Cards
All test cards work only in sandbox mode (publishable key starting with pk_sandbox_). Use any future expiry date (e.g. 12/30) and any 3-digit CVC (or 4-digit for Amex).
Successful payments
Section titled “Successful payments”These cards always produce a successful charge or tokenization.
| Brand | Number | CVC | Notes |
|---|---|---|---|
| Visa | 4242 4242 4242 4242 | Any 3 digits | Most common test card. |
| Mastercard | 5555 5555 5555 4444 | Any 3 digits | Standard Mastercard test number. |
| American Express | 3782 822463 10005 | Any 4 digits | Amex uses a 4-digit CVC and 15-digit card number. |
| Discover | 6011 1111 1111 1117 | Any 3 digits | Discover network test card. |
Special flows
Section titled “Special flows”These cards trigger specific behaviors inside the iframe.
| Flow | Number | What happens |
|---|---|---|
| Installments (MSI) | 4000 0048 4000 0008 | After clicking the CTA, the iframe shows an installment picker with 3, 6, 9, 12, 18, and 24-month options. The guest selects one before the payment is confirmed. Only applies in checkout mode with installments: { required: true }. |
| 3D Secure | 4000 0000 0000 3220 | After clicking the CTA, the iframe shows a simulated 3D Secure challenge page. The guest clicks “Complete authentication” to succeed. In sandbox, the challenge always succeeds. |
Declined cards
Section titled “Declined cards”These cards simulate specific decline scenarios. The error code is returned in the error.code field of the checkout() or createToken() result, and the error message is shown to the guest inside the iframe.
| Number | Error code | Description |
|---|---|---|
4000 0000 0000 0002 | card_declined | Generic decline with no specific reason. |
4000 0000 0000 9995 | insufficient_funds | Card does not have enough balance. |
4000 0000 0000 0069 | expired_card | Card has expired. |
4000 0000 0000 0127 | incorrect_cvc | CVC does not match. |
4000 0000 0000 0101 | incorrect_number | Card number is invalid at the acquirer. |
4000 0000 0000 9987 | do_not_honor | Issuer declined without a reason. |
4000 0000 0000 0036 | fraudulent | Issuer flagged the transaction as fraud. |
4000 0000 0000 0044 | lost_card | Card reported lost. |
4000 0000 0000 0051 | stolen_card | Card reported stolen. |
4000 0000 0000 0119 | processing_error | Transient acquirer error. |
Sandbox URLs
Section titled “Sandbox URLs”The sandbox environment uses separate endpoints. The SDK handles this automatically based on your publishable key, but these are useful for debugging.
| Service | URL |
|---|---|
| Card form iframe | https://fields-sandbox.zatlas.com |
| CDE API (tokenization) | https://cde-api-staging.zatlas.com |
| Payments API | https://sandbox-api.zatlas.com |
| OAuth2 token endpoint | https://cde-api-staging.zatlas.com/oauth2/token |
Going to production
Section titled “Going to production”When you are ready to accept real payments:
- Replace your publishable key with the production key (
pk_live_...). - Replace your OAuth2 credentials (
client_idandclient_secret) with production values. - Remove any test card numbers from your code.
- Verify your integration handles all error codes gracefully.
See the Payments API documentation for server-side details on charges, refunds, and reconciliation.