If you are a developer building a website or application in Bangladesh, integrating the bKash payment gateway is almost always a must. bKash is one of the most widely used Mobile Financial Services (MFS) in Bangladesh, and millions of people use it daily for online and offline transactions.
But before you push your payment system live, you absolutely must test it in a sandbox environment. Skipping sandbox testing can result in real money being charged, failed transactions on your live site, and a very poor experience for your customers.
In this complete guide, I am going to cover everything you need to know about bKash sandbox credentials, test wallet numbers, PINs, OTPs, API URLs, and how to properly test your payment gateway integration — whether you are working with PHP, Laravel, or WordPress.
What is the bKash Sandbox Environment?
The bKash sandbox is a testing environment provided by bKash for developers. It mirrors the real bKash payment system, but no real money is involved. Everything — from initiating a payment, entering a PIN, completing a transaction, to handling failures — works exactly the same as the live environment.
Using the sandbox, you can:
- Test successful payment flows
- Simulate failed payments (insufficient balance, debit block)
- Verify your callback and IPN (Instant Payment Notification) handling
- Debug your API integration before approval from bKash
bKash Sandbox API Credentials
Below are the official sandbox API credentials you can use for testing your bKash Tokenized Checkout integration:
| Field | Value |
|---|---|
| Username | sandboxTokenizedUser02 |
| Password | sandboxTokenizedUser02@12345 |
| App Key | 4f6o0cjiki2rfm34kfdadl1eqq |
| App Secret | 2is7hdktrekvrbljjh44ll3d9l1dtjo4pasmjvs5vl5qr3fug4b |
⚠️ Note: These are public sandbox credentials only. Never use them in a live/production environment. For live credentials, you must apply through the official bKash Merchant Portal.
bKash Sandbox API URLs
| Environment | Base URL |
|---|---|
| Sandbox (Testing) | https://tokenized.sandbox.bka.sh/v1.2.0-beta |
| Live (Production) | https://tokenized.pay.bka.sh/v1.2.0-beta |
Always use the sandbox URL while testing your integration. Only switch to the live URL after your application is fully tested and approved.
bKash Sandbox Test Wallet Numbers
bKash provides specific test wallet numbers you can use to simulate payments inside the sandbox environment.
Regular Active Customer Wallets (Successful Transactions)
Use these numbers to simulate successful payments:
| # | Wallet Number |
|---|---|
| 1 | 01770618575 |
| 2 | 01929918378 |
| 3 | 01770618576 |
| 4 | 01877722345 |
| 5 | 01619777282 |
| 6 | 01619777283 |
❌ Wallets for Failed Transaction Cases
Use these to test how your system handles payment failures:
| # | Wallet Number | Failure Reason |
|---|---|---|
| 1 | 01823074817 | Insufficient Balance |
| 2 | 01823074818 | Debit Block |
PIN and OTP for All Sandbox Wallets
All sandbox wallets share the same test PIN and OTP:
| Field | Value |
|---|---|
| PIN | 12121 |
| OTP | 123456 |
These are fixed test values — you do not need any real bKash account to use them.
How to Set Up bKash Sandbox in Your Project
For PHP / Laravel (.env Configuration)
Add the following to your .env file for sandbox testing:
BKASH_TOKENIZE_SANDBOX=true
BKASH_TOKENIZE_BASE_URL=https://tokenized.sandbox.bka.sh/v1.2.0-beta/tokenized
BKASH_TOKENIZE_VERSION="v1.2.0-beta"
BKASH_TOKENIZE_APP_KEY=4f6o0cjiki2rfm34kfdadl1eqq
BKASH_TOKENIZE_APP_SECRET=2is7hdktrekvrbljjh44ll3d9l1dtjo4pasmjvs5vl5qr3fug4b
BKASH_TOKENIZE_USER_NAME=sandboxTokenizedUser02
BKASH_TOKENIZE_PASSWORD=sandboxTokenizedUser02@12345
When you are ready to go live, comment out or replace the sandbox values with your actual live credentials from bKash.
Step-by-Step: How to Test a bKash Payment in Sandbox
Follow these steps to run a complete test transaction:
Step 1: Configure your project with the sandbox credentials and sandbox base URL shown above.
Step 2: Initiate a payment request using the Tokenized API. You will need to call the Grant Token API first to get an access token.
Step 3: Create the payment using the Create Payment API endpoint. Make sure to generate a unique merchantInvoiceNumber for each request.
Step 4: When the bKash payment popup appears, enter any of the sandbox wallet numbers listed above.
Step 5: Enter the test PIN 12121 when prompted.
Step 6: Enter the test OTP 123456 to complete the transaction.
Step 7: Your callback URL will receive the success or failure response. Verify that your system handles both correctly.
Step 8: To test a failure scenario, use wallet 01823074817 (insufficient balance) or 01823074818 (debit block) and observe how your application responds.
bKash Tokenized API Overview
The bKash Tokenized Checkout API (v1.2.0-beta) is the current and recommended version for all new integrations. The key API endpoints you will use during testing are:
- Grant Token:
POST /tokenized/checkout/token/grant— Generates your access token using App Key and App Secret. - Create Payment:
POST /tokenized/checkout/create— Initiates a new payment session. - Execute Payment:
POST /tokenized/checkout/execute— Confirms the payment after user approval. - Query Payment:
POST /tokenized/checkout/payment/status— Checks the status of a transaction. - Refund:
POST /tokenized/checkout/payment/refund— Issues a refund for a transaction.
Important Security Note: Never expose your App Key, App Secret, Username, or Password in frontend JavaScript. Always make API calls from your backend server. This protects your credentials and keeps your integration secure.
Important Things to Remember
- Sandbox wallets do not expire and are always available for testing purposes.
- Sandbox credentials cannot be used in the live environment — they will be rejected.
- For live API credentials, you must register as a bKash Merchant and contact bKash support at 16247.
- The bKash Sandbox API has CORS restrictions, meaning you cannot call it directly from a browser. All requests must go through your backend server.
- Always generate a unique invoice number for each payment request to avoid conflicts.
Common Errors and How to Fix Them
“Invalid Credentials” Error Make sure your App Key and App Secret match exactly. Even a single extra space can cause this error.
“CORS Policy” Error in Browser This is expected. bKash Sandbox APIs are not accessible directly from the browser. Route all API calls through your backend.
Payment Not Completing Make sure you are using the correct sandbox URL. Double-check that BKASH_TOKENIZE_SANDBOX=true is set properly in your environment.
Callback Not Receiving Data Your callback URL must be publicly accessible. If you are testing on localhost, use a tunneling tool like ngrok to expose your local server.
How to Switch from Sandbox to Live
Once your sandbox testing is complete and everything works as expected, follow these steps to go live:
- Apply for live API credentials through the official bKash Merchant Portal or contact your bKash Relationship Manager.
- Replace all sandbox environment variables with your live credentials in your
.envfile. - Change the base URL from
https://tokenized.sandbox.bka.sh/v1.2.0-betatohttps://tokenized.pay.bka.sh/v1.2.0-beta. - Set
BKASH_TOKENIZE_SANDBOX=false. - Do a final test with a small real transaction before fully opening to customers.
Frequently Asked Questions (FAQs)
Q: What is a bKash sandbox? The bKash sandbox is a test environment that allows developers to simulate payment transactions without using real money or a real bKash account.
Q: Can I use sandbox credentials for live payments? No. Sandbox credentials only work in the sandbox environment. You must obtain live credentials from bKash for real transactions.
Q: What is the PIN and OTP for bKash sandbox test wallets? The PIN is 12121 and the OTP is 123456 for all sandbox wallets.
Q: Which wallet number should I use to test a failed payment? Use 01823074817 to simulate insufficient balance and 01823074818 to simulate a debit block.
Q: Do sandbox wallet numbers expire? No, they remain available as long as the bKash sandbox environment is active.
Q: Can I integrate bKash into a WordPress or WooCommerce site? Yes. There are bKash plugins available for WooCommerce. You can also do a custom integration using PHP or Laravel.
Q: How do I get live bKash API credentials? You need to apply for a bKash Merchant account and request API access. You can contact bKash support at 16247 or reach out to your Relationship Manager.
Q: Why do sandbox API calls fail in the browser console? bKash Sandbox APIs have CORS disabled for all origins. You must make all API calls from a backend server, not directly from the browser.
Conclusion
Testing your bKash payment gateway integration properly using the sandbox environment is a critical step before going live. With the sandbox credentials, test wallet numbers, PINs, and OTPs shared in this guide, you can fully simulate both successful and failed payment scenarios without risking real money.
Whether you are building with PHP, Laravel, or WordPress, the bKash Tokenized Checkout API v1.2.0-beta provides a reliable and well-documented system for accepting mobile payments in Bangladesh.
If you need help integrating bKash into your website or application, feel free to contact me — I offer professional web development and payment gateway integration services.
Written by Arman | Freelancer Arman | Web Developer & Designer from Noakhali, Bangladesh Website: arman.bd
