The verdict in three sentences
Shipping a payment to production without testing it in sandbox is gambling customers' money on a coin flip. Good methodology isolates a test environment (staging), simulates webhooks, and covers the edge cases: timeout, double webhook, partial payment, refund. A scenario x expected-result matrix, plus a go-live checklist, eliminates the vast majority of incidents.
The environments and their roles
Never test on the production database. Three separate environments, three key sets.
| Environment | API keys | Database | Use |
|---|---|---|---|
| Sandbox / dev | Test | Local throwaway | Development, first webhooks |
| Staging | Test | Anonymized copy | UAT, end-to-end integration tests |
| Production | Live | Real | Real customers only |
Webhooks are the weak point: locally, a tunnel (e.g. ngrok) exposes your endpoint to receive aggregator notifications; in staging, a stable URL and webhook replay let you re-test without making a real payment.
Test scenario matrix
Every edge case must have a written expected result, otherwise it isn't tested. Here is the minimal matrix before any go-live.
| Scenario | Simulated trigger | Expected result |
|---|---|---|
| Successful payment | "success" webhook | Order paid, customer notified once |
| Double webhook | Same event 2x | Processed once (idempotency) |
| Operator timeout | No response in 30 s | Status "pending", no double payment |
| Out-of-order webhook | "success" before "created" | Reconciled, consistent state |
| Partial payment | Amount < expected | Order not validated, alert |
| Refund | "refund" webhook | Order refunded, stock restored |
| Invalid signature | Forged webhook | Rejected (401), logged |
| Insufficient balance | "failed" webhook | Order unpaid, dunning triggered |
The double webhook scenario is the trickiest: without an idempotency key, an order can be validated or stock decremented twice. It's the test to never skip.
Go-live checklist
| Check | Expected state |
|---|---|
| Live keys separate from Test keys | Confirmed, never committed |
| Webhook endpoint over HTTPS + signature check | Active |
| Idempotency on transaction ID | Implemented and tested |
| Timeout handling + status verification | In place |
| Logs for every webhook (success and failure) | Enabled |
| Customer return page (success/failure/cancel) | Tested |
| Daily reconciliation | Scheduled |
| A real 100 FCFA payment in prod | Done and refunded |
Need a professional website?
Kolonell builds websites that attract clients, optimized for the Sénégalese market. Free quote in 2 minutes.
Mini case study
Khadija's developer integrates Wave on a Next.js site. In staging he replays the same "success" webhook twice: without idempotency, the order becomes "paid x2" and the confirmation email goes out twice. He adds an idempotency key on the transaction ID (already-processed event = ignored) and replays: a single validation. Test cost: 0 FCFA and 30 minutes; cost of the prevented prod incident: hours of support and wrongly billed customers.
FAQ
Do Wave and Orange Money offer a real sandbox in 2026?
Test environments and accounts exist depending on your merchant status and aggregator. Lacking a full sandbox, you test with small real amounts (e.g. 100 FCFA) immediately refunded.
How do I receive webhooks locally?
A tunnel like ngrok exposes your localhost endpoint on a temporary public URL. The aggregator sends notifications there, and you debug processing without deploying.
Why is idempotency so critical?
Operators may resend the same webhook several times. Without an idempotency key on the transaction ID, you risk double order validation or double stock decrement.
What about a timed-out payment?
Never assume failure: query the real status via the API before acting. The payment may have succeeded on the operator side even if the HTTP response never returned.
Let's talk about your project. We integrate Wave/OM with sandbox, idempotency and a tested go-live checklist before any production release. WhatsApp +221 77 596 93 33.
Mohamed Bah
Fondateur, Kolonell
Passionate about digital and entrepreneurship in Africa, Mohamed has been helping Sénégalese businesses with their digital transformation since 2020. Founder of Kolonell, he believes every SME deserves a professional and accessible online présence.
