Fix: Card Tokenisation Now Correctly Uses the Test Gateway for sk_test_ Keys
Fix: Card Tokenisation Now Correctly Uses the Test Gateway for sk_test_ Keys
Release: v1.0.103
What Changed
A routing bug in the POST /v1/payment_methods endpoint has been fixed. The endpoint is used to tokenise card details before charging them via a PaymentIntent or setting up a recurring payment. Prior to this release, the endpoint always contacted the live Cardstream gateway, regardless of whether the request was authenticated with a test or live API key.
Root Cause
The POST /v1/payment_methods route called getCardstreamClient() with no arguments. Because getCardstreamClient() returns a cached singleton that defaults to testMode=false, every call — including those made with sk_test_ keys — was routed to the live gateway.
// Before (incorrect)
const client = getCardstreamClient(); // always live mode
The fix reads the environment indicator from the authenticated request context (ctx.env) and passes it through:
// After (correct)
const client = getCardstreamClient({ testMode: ctx.env === "test" });
Impact
| Scenario | Before v1.0.103 | From v1.0.103 |
|---|---|---|
sk_test_ key → POST /v1/payment_methods | ❌ Routed to live Cardstream gateway | ✅ Routed to test Cardstream gateway |
sk_live_ key → POST /v1/payment_methods | ✅ Routed to live gateway | ✅ Routed to live gateway |
What You Should Do
If your integration uses sk_test_ keys to tokenise cards during development or testing, retest your card tokenisation flows. Calls to POST /v1/payment_methods will now correctly hit the Cardstream sandbox, which may return different responses from the live gateway (e.g. test card acceptance, simulated declines).
No changes to your API calls or credentials are required — the routing is resolved automatically based on the key you present.
Affected Endpoint
POST /v1/payment_methods
Tokenises a card and returns a reusable PaymentMethod object.
- When called with a
sk_test_key: requests are sent to the Cardstream test gateway - When called with a
sk_live_key: requests are sent to the Cardstream live gateway
Refer to the API Reference for full endpoint documentation.