5-minute quickstart
This path proves three things quickly: your backend can send sk_test_... safely, the sandbox host is reachable, and the webhook can close the payment loop.
1. Create the first authenticated charge on the backend
curl -X POST https://api.sandbox.mupag.com.br/v1/charges \
-H "Authorization: Bearer sk_test_your_server_key" \
-H "Idempotency-Key: 550e8400-e29b-41d4-a716-446655440000" \
-H "Content-Type: application/json" \
-d '{
"amount_cents": 1290,
"payment_method": "pix",
"customer": {
"name": "Ana Silva",
"email": "ana@example.com",
"tax_id": "12345678909"
}
}'
2. Run the no-secret browser test
Request body
{
"amount_cents": 1290,
"payment_method": "pix"
}Ready for a browser-safe sandbox request
The browser never asks for a merchant key here. Use server-side guides for authenticated merchant calls.
3. Repeat the same flow in your backend language
Node.js
const response = await fetch('https://api.sandbox.mupag.com.br/v1/charges', {
method: 'POST',
headers: {
Authorization: 'Bearer sk_test_your_server_key',
'Idempotency-Key': crypto.randomUUID(),
'Content-Type': 'application/json',
},
body: JSON.stringify({
amount_cents: 1290,
payment_method: 'pix',
customer: {name: 'Ana Silva', email: 'ana@example.com', tax_id: '12345678909'},
}),
});
Java
var request = HttpRequest.newBuilder(URI.create("https://api.sandbox.mupag.com.br/v1/charges"))
.header("Authorization", "Bearer sk_test_your_server_key")
.header("Idempotency-Key", UUID.randomUUID().toString())
.header("Content-Type", "application/json")
.POST(HttpRequest.BodyPublishers.ofString("""
{"amount_cents":1290,"payment_method":"pix","customer":{"name":"Ana Silva","email":"ana@example.com","tax_id":"12345678909"}}
"""))
.build();
Python
response = requests.post(
"https://api.sandbox.mupag.com.br/v1/charges",
headers={
"Authorization": "Bearer sk_test_your_server_key",
"Idempotency-Key": str(uuid.uuid4()),
"Content-Type": "application/json",
},
json={
"amount_cents": 1290,
"payment_method": "pix",
"customer": {"name": "Ana Silva", "email": "ana@example.com", "tax_id": "12345678909"},
},
)
PHP
$response = $client->request('POST', 'https://api.sandbox.mupag.com.br/v1/charges', [
'headers' => [
'Authorization' => 'Bearer sk_test_your_server_key',
'Idempotency-Key' => Ramsey\Uuid\Uuid::uuid4()->toString(),
'Content-Type' => 'application/json',
],
'json' => [
'amount_cents' => 1290,
'payment_method' => 'pix',
'customer' => ['name' => 'Ana Silva', 'email' => 'ana@example.com', 'tax_id' => '12345678909'],
],
]);
Go
payload := strings.NewReader(`{"amount_cents":1290,"payment_method":"pix","customer":{"name":"Ana Silva","email":"ana@example.com","tax_id":"12345678909"}}`)
req, _ := http.NewRequest(http.MethodPost, "https://api.sandbox.mupag.com.br/v1/charges", payload)
req.Header.Set("Authorization", "Bearer sk_test_your_server_key")
req.Header.Set("Idempotency-Key", uuid.NewString())
req.Header.Set("Content-Type", "application/json")
4. Close the loop
- Point your receiver to the events described in Webhooks.
- Confirm in the sandbox dashboard that the charge and customer arrived with the same IDs stored in your system.
- Keep
charge_id,request_idand your idempotency key in application logs.
Did this page unblock the next step?
Feedback stays inside the docs flow and should never include customer or card data.