All Docs
FeaturesCalmony PayUpdated March 15, 2026

Fix: sk_test_ API Keys Now Correctly Route to the Cardstream Test Environment

Fix: sk_test_ API Keys Now Correctly Route to the Cardstream Test Environment

Release: v1.0.101

Overview

A spec drift has been resolved in the Cardstream Payment Gateway integration. Before this fix, using an sk_test_ API key did not route requests to the Cardstream test environment — they were sent to the live production gateway instead.

This post explains what went wrong, what was fixed, and what you need to know as an integrator.

Background

Calmony Pay uses API key prefixes to determine the operating mode of a payment request:

Key prefixIntended environment
sk_live_Cardstream production gateway
sk_test_Cardstream test gateway

This convention is consistent with how Stripe and similar providers handle test/live key separation, and it is a core requirement of the Cardstream Payment Gateway Integration spec.

What Was Wrong

The CardstreamClient class in src/lib/calmony-pay/cardstream/client.ts had partial test mode support:

  • ✅ The constructor correctly set config.testMode = true when the API key started with sk_test_.
  • ✅ All payment confirm/charge paths correctly passed testMode: !project.liveMode when constructing the client.
  • ❌ The testMode flag was never used to select a different gateway base URL.

Both directUrl and hostedUrl always resolved to this.gatewayBaseUrl, which was set from:

  1. The CARDSTREAM_GATEWAY_URL environment variable, or
  2. The hard-coded production default: https://gateway.cardstream.com/

The isTestMode property existed as a readable field, but the client never branched on it when constructing the /direct/ or /hosted/ endpoint URLs.

Consequence

Any developer testing their integration with sk_test_ keys was unknowingly hitting the live Cardstream gateway. This carries the following risks:

  • Real card authorisation attempts during development or testing.
  • Test transactions appearing in live merchant reporting.
  • Potential charges to real payment instruments used in test flows.

What Was Fixed

The CardstreamClient has been updated so that when config.testMode is true, it applies a distinct gateway URL or the appropriate Cardstream-provided test mode mechanism — ensuring test traffic is correctly isolated from production.

sk_live_ API key behaviour is unchanged.

Affected file: src/lib/calmony-pay/cardstream/client.ts

Action Required

If you are using sk_test_ API keys in any environment, upgrade to v1.0.101 immediately. No changes to your integration code are required — key prefix detection and routing are handled automatically by CardstreamClient.

If you have been running tests against what you believed was the Cardstream sandbox, review your Cardstream merchant dashboard to confirm whether any live transactions were created unintentionally during that period.

Verifying Your Setup

After upgrading, confirm correct routing by:

  1. Initialising CardstreamClient with an sk_test_ key.
  2. Checking that client.isTestMode returns true.
  3. Submitting a test transaction and verifying it appears in the Cardstream test environment, not the live merchant account.