Guides
Start typing to search…

How to test in other environments

This guide shows how to exercise the GraphQL API in non-production environments using Apollo Sandbox. Some environments expose a built-in Sandbox at the GraphQL endpoint; in others you can use the hosted Sandbox and point it to the API URL.


Environments

  • You should receive environment-specific GraphQL endpoints (e.g., development, staging/cert, production).
  • Use the correct base URL for the environment you want to test.

Option A: Built-in Apollo Sandbox (when enabled)

In environments where the landing page is enabled, simply open the GraphQL endpoint in your browser. You’ll see Apollo Sandbox with schema introspection, an editor, and a place to add headers.

Steps:

  1. Navigate to your environment’s GraphQL URL in a browser.
  2. In the “Headers” panel, add an auth header if required:
    • Key: Authorization
    • Value: Bearer <accessToken>
  3. Run queries and mutations directly in the editor.

Option B: Hosted Apollo Sandbox

If the built-in landing page is disabled, use Apollo’s hosted explorer and point it at your endpoint.

Steps:

  1. Open Apollo Sandbox (hosted) in your browser.
  2. In the Endpoint field, paste your environment’s GraphQL URL.
  3. In the “Headers” panel, add:
    • Authorization: Bearer <accessToken>
  4. Click “Refresh Schema” if needed, then run queries.

Getting a Token for Testing

Use the login mutation to obtain tokens. You can run it in the Sandbox without an Authorization header, then use the returned token for subsequent requests.

mutation Login($email: String!, $password: String!) {
    login(email: $email, password: $password) {
        token
        refreshToken
        expiresIn
    }
}

After login, copy the token and set the header:

Authorization: Bearer <token>

To refresh an expired access token, you can use:

mutation Refresh($refreshToken: String) {
    refreshToken(refreshToken: $refreshToken) {
        token
        refreshToken
        expiresIn
    }
}

If your environment sets secure cookies on login, the Sandbox may authenticate via cookies automatically (browser dependent). For consistency across environments, prefer the Authorization header.

Quick Checks

  • Query the current user:
query Me {
    user {
        id
        email
    }
}
  • Fetch a document by ticket number:
query Doc($ticketNum: String!) {
    document(ticketNum: $ticketNum) {
        id
        ticketNum
        status
    }
}

Troubleshooting

  • “Unauthorized” errors: Ensure the Authorization header is present and the token is valid.
  • Schema won’t load: Confirm the endpoint URL and that introspection is allowed in that environment.
  • Cookies not applied: Rely on the header-based token instead of cookies, especially across subdomains.
  • CORS errors: Use the Sandbox from a browser that can reach the endpoint; for server-to-server tests, use curl or Postman.

Best Practices

  • Keep separate tokens per environment; do not reuse production credentials in lower envs.
  • Always set the Authorization header explicitly in the Sandbox for predictable behavior.
  • Validate filters and pagination in Sandbox before integrating into your app.

Updated about 2 months ago