Skip to content

Testing assets

Take advantage of these resources to help you test your integration across various scenarios.

Testing Credentials

Consult your Account Manager to initiate the onboarding process.

Once this process is finished, you will receive your testing credentials, including:

  • Terminal Code
  • Bearer Token
  • Client ID

When you have your credentials, you are ready to start the integration process.

Within your testing environment, you gain the ability to:

  • Digitally onboard your merchants, in case you are a Payment Facilitator
  • Initiate your integration process
  • Explore the features and tools at your disposal
  • Conduct test payments

Keep in mind that a test account allows you to explore SIBS integrations but does not guarantee live payment processing.

Testing Cards

Prior to implementing live payment processing, you have the option to use the provided card details from this page for testing purposes. 

Please note that these details are exclusively applicable on our testing platform and do not involve actual transactions or the transfer of any funds.

Here are some testing cards you can use:

BrandCard numberExpiry dateCVC/CVV3DS3DS Authentication password
Visa417666000000010012/25597Yes (Challenge)123456
Mastercard518552005000001012/25001Yes (Challenge)123456
Mastercard520474000000100212/25100Yes (Frictionless)
Cartes Bancaires Visa4970 4178 0960 982303/23914Yes (Frictionless)
Cartes Bancaires MasterCard5134 1486 5519 781704/24419Yes (Challenge)123456
Cartes Bancaires Visa4010 0562 0000 001801/25123Yes (Frictionless)
Cartes Bancaires MasterCard5137 2100 0000 001801/25123Yes (Challenge)123456

Handling responses

Response codes provide valuable insights into the outcome of an API request. This page provides a comprehensive description of the potential response codes you may encounter.

HTTP Status Codes

HTTP defines a set of forty standard status codes that communicate the results of a client’s request. These status codes are categorized into the following five groups:

1xxInformationalCommunicates transfer protocol-level information.
2xxSuccessIndicates that the client’s request was accepted successfully.
3xxRedirectionIndicates that the client must take some additional action in order to complete their request.
4xxClient ErrorThis category of error status codes points the finger at clients.
5xxServer ErrorThe server takes responsibility for these error status codes.
CodeDescriptionDetail and Action
200OKIt indicates that the REST API successfully carried out whatever action the client requested and that no more specific code in the 2xx series is appropriate.
Unlike the 204 status code, a 200 response should include a response body.The information returned with the response is dependent on the method used in the request, for example:
GET an entity corresponding to the requested resource is sent in the response;
HEAD the entity-header fields corresponding to the requested resource are sent in the response without any message-body;
POST an entity describing or containing the result of the action;
TRACE an entity containing the request message as received by the end server.
201CreatedA REST API responds with the 201 status code whenever a resource is created inside a collection. There may also be times when a new resource is created as a result of some controller action, in which case 201 would also be an appropriate response.
The newly created resource can be referenced by the URI(s) returned in the entity of the response, with the most specific URI for the resource given by a Location header field.
The origin server MUST create the resource before returning the 201 status code. If the action cannot be carried out immediately, the server SHOULD respond with a 202 (Accepted) response instead.
202AcceptedA 202 response is typically used for actions that take a long while to process. It indicates that the request has been accepted for processing, but the processing has not been completed. The request might or might not be eventually acted upon, or even maybe disallowed when processing occurs.
Its purpose is to allow a server to accept a request for some other process (perhaps a batch-oriented process that is only run once per day) without requiring that the user agent’s connection to the server persist until the process is completed.
The entity returned with this response SHOULD include an indication of the request’s current status and either a pointer to a status monitor (job queue location) or some estimate of when the user can expect the request to be fulfilled.
204No ContentThe 204 status code is usually sent out in response to a PUT, POST, or DELETE request when the REST API declines to send back any status message or representation in the response message’s body.
An API may also send 204 in conjunction with a GET request to indicate that the requested resource exists, but has no state representation to include in the body.
If the client is a user agent, it SHOULD NOT change its document view from that which caused the request to be sent. This response is primarily intended to allow input for actions to take place without causing a change to the user agent’s active document view, although any new or updated metainformation SHOULD be applied to the document currently in the user agent’s active view.
The 204 response MUST NOT include a message-body and thus is always terminated by the first empty line after the header fields
205Reset ContentThe server successfully processed the request, asks that the requester reset its document view, and is not returning any content.
206Partial ContentThe server is delivering only part of the resource (byte serving) due to a range header sent by the client. The range header is used by HTTP clients to enable resuming of interrupted downloads, or split a download into multiple simultaneous streams.
300Multiple ChoicesIndicates multiple options for the resource from which the client may choose (via agent-driven content negotiation). For example, this code could be used to present multiple video format options, to list files with different filename extensions, or to suggest word-sense disambiguation.
301Moved PermanentlyThe 301 status code indicates that the REST API’s resource model has been significantly redesigned, and a new permanent URI has been assigned to the client’s requested resource. The REST API should specify the new URI in the response’s Location header, and all future requests should be directed to the given URI.
You will hardly use this response code in your API as you can always use the API versioning for new API while retaining the old one.
302FoundThe HTTP response status code 302 Found is a common way of performing URL redirection. An HTTP response with this status code will additionally provide a URL in the Location header field. The user agent (e.g., a web browser) is invited by a response with this code to make a second. Otherwise identical, request to the new URL specified in the location field.
Many web browsers implemented this code in a manner that violated this standard, changing the request type of the new request to GET, regardless of the type employed in the original request (e.g., POST). RFC 1945 and RFC 2068 specify that the client is not allowed to change the method on the redirected request. The status codes 303 and 307 have been added for servers that wish to make unambiguously clear which kind of reaction is expected of the client.
303See OtherA 303 response indicates that a controller resource has finished its work, but instead of sending a potentially unwanted response body, it sends the client the URI of a response resource. The response can be the URI of the temporary status message, or the URI to some already existing, more permanent, resource.
Generally speaking, the 303 status code allows a REST API to send a reference to a resource without forcing the client to download its state. Instead, the client may send a GET request to the value of the Location header.
The 303 response MUST NOT be cached, but the response to the second (redirected) request might be cacheable.
304Not ModifiedThis status code is similar to 204 (“No Content”) in that the response body must be empty. The critical distinction is that 204 is used when there is nothing to send in the body, whereas 304 is used when the resource has not been modified since the version specified by the request headers If-Modified-Since or If-None-Match.
In such a case, there is no need to retransmit the resource since the client still has a previously-downloaded copy.
Using this saves bandwidth and reprocessing on both the server and client, as only the header data must be sent and received in comparison to the entirety of the page being re-processed by the server, then sent again using more bandwidth of the server and client.
307Temporary RedirectA 307 response indicates that the REST API is not going to process the client’s request. Instead, the client should resubmit the request to the URI specified by the response message’s Location header. However, future requests should still use the original URI.
A REST API can use this status code to assign a temporary URI to the client’s requested resource. For example, a 307 response can be used to shift a client request over to another host.
The temporary URI SHOULD be given by the Location field in the response. Unless the request method was HEAD, the entity of the response SHOULD contain a short hypertext note with a hyperlink to the new URI(s). If the 307 status code is received in response to a request other than GET or HEAD, the user agent MUST NOT automatically redirect the request unless it can be confirmed by the user, since this might change the conditions under which the request was issued.
400Bad Request400 is the generic client-side error status, used when no other 4xx error code is appropriate. Errors can be like malformed request syntax, invalid request message parameters, or deceptive request routing etc.
The client SHOULD NOT repeat the request without modifications.
401UnauthorizedA 401 error response indicates that the client tried to operate on a protected resource without providing the proper authorization. It may have provided the wrong credentials or none at all. The response must include a WWW-Authenticate header field containing a challenge applicable to the requested resource.
The client MAY repeat the request with a suitable Authorization header field. If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials. If the 401 response contains the same challenge as the prior response, and the user agent has already attempted authentication at least once, then the user SHOULD be presented the entity that was given in the response, since that entity might include relevant diagnostic information.
402Payment RequiredReserved for future use. The original intention was that this code might be used as part of some form of digital cash or micropayment scheme, as proposed, and this code is not widely used.
403ForbiddenA 403 error response indicates that the client’s request is formed correctly, but the REST API refuses to honor it, i.e. the user does not have the necessary permissions for the resource. A 403 response is not a case of insufficient client credentials; that would be 401 (“Unauthorized”).
Authentication will not help, and the request SHOULD NOT be repeated. Unlike a 401 Unauthorized response, authenticating will make no difference.
404Not FoundThe 404 error status code indicates that the REST API can’t map the client’s URI to a resource but may be available in the future. Subsequent requests by the client are permissible.
No indication is given of whether the condition is temporary or permanent. The 410 (Gone) status code SHOULD be used if the server knows, through some internally configurable mechanism, that an old resource is permanently unavailable and has no forwarding address. This status code is commonly used when the server does not wish to reveal exactly why the request has been refused, or when no other response is applicable.
405Method Not AllowedThe API responds with a 405 error to indicate that the client tried to use an HTTP method that the resource does not allow. For instance, a read-only resource could support only GET and HEAD, while a controller resource might allow GET and POST, but not PUT or DELETE.
406Not AcceptableThe 406 error response indicates that the API is not able to generate any of the client’s preferred media types, as indicated by the Accept request header. For example, a client request for data formatted as application/xml will receive a 406 response if the API is only willing to format data as application/json.
If the response could be unacceptable, a user agent SHOULD temporarily stop receipt of more data and query the user for a decision on further actions.
407Proxy Authentication RequiredThe client must first authenticate itself with the proxy.
408Request TimeoutThe server timed out waiting for the request. According to HTTP specifications: “The client did not produce a request within the time that the server was prepared to wait. The client MAY repeat the request without modifications at any later time.
409ConflictIndicates that the request could not be processed because of conflict in the current state of the resource, such as an edit conflict between multiple simultaneous updates.
410GoneIndicates that the resource requested is no longer available and will not be available again. This should be used when a resource has been intentionally removed and the resource should be purged. Upon receiving a 410 status code, the client should not request the resource in the future. Clients such as search engines should remove the resource from their indices. Most use cases do not require clients and search engines to purge the resource, and a “404 Not Found” may be used instead.
411Length RequiredThe request did not specify the length of its content, which is required by the requested resource
412Precondition FailedThe 412 error response indicates that the client specified one or more preconditions in its request headers, effectively telling the REST API to carry out its request only if certain conditions were met. A 412 response indicates that those conditions were not met, so instead of carrying out the request, the API sends this status code.
413Payload Too LargeThe request is larger than the server is willing or able to process. Previously called “Request Entity Too Large”
414URI Too LongThe URI provided was too long for the server to process. Often the result of too much data being encoded as a query-string of a GET request, in which case it should be converted to a POST request. Called “Request-URI Too Long” previously
415Unsupported Media TypeThe 415 error response indicates that the API is not able to process the client’s supplied media type, as indicated by the Content-Type request header. For example, a client request including data formatted as application/xml will receive a 415 response if the API is only willing to process data formatted as application/json.
For example, the client uploads an image as image/svg+xml, but the server requires that images use a different format.
416Range Not SatisfiableThe client has asked for a portion of the file (byte serving), but the server cannot supply that portion. For example, if the client asked for a part of the file that lies beyond the end of the file. Called “Requested Range Not Satisfiable” previously.
417Expectation FailedThe server cannot meet the requirements of the Expect request-header field.
421Misdirected RequestThe server cannot meet the requirements of the Expect request-header field.
422Unprocessable EntityThe request was well-formed but was unable to be followed due to semantic errors.
423LockedThe resource that is being accessed is locked.
424Failed DependencyThe request failed because it depended on another request and that request failed (e.g., a PROPPATCH).
425Too EarlyIndicates that the server is unwilling to risk processing a request that might be replayed.
426Upgrade RequiredThe client should switch to a different protocol such as TLS/1.0, given in the Upgrade header field.
428Precondition RequiredThe origin server requires the request to be conditional. Intended to prevent the ‘lost update’ problem, where a client GETs a resource’s state, modifies it, and PUTs it back to the server, when meanwhile a third party has modified the state on the server, leading to a conflict.
429Too Many RequestsThe user has sent too many requests in a given amount of time. Intended for use with rate-limiting schemes.
431Request Header Fields Too LargeThe server is unwilling to process the request because either an individual header field, or all the header fields collectively, are too large.
451Unavailable For Legal Reasons A server operator has received a legal demand to deny access to a resource or to a set of resources that includes the requested resource.
500Internal Server Error500 is the generic REST API error response. Most web frameworks automatically respond with this response status code whenever they execute some request handler code that raises an exception.
A 500 error is never the client’s fault, and therefore, it is reasonable for the client to retry the same request that triggered this response and hope to get a different response.
API response is the generic error message, given when an unexpected condition was encountered and no more specific message is suitable.
501Not ImplementedThe server either does not recognize the request method, or it lacks the ability to fulfill the request. Usually, this implies future availability (e.g., a new feature of a web-service API).
502Bad GatewayThe server was acting as a gateway or proxy and received an invalid response from the upstream server.
503Service UnavailableThe server cannot handle the request (because it is overloaded or down for maintenance). Generally, this is a temporary state.
504Gateway TimeoutThe server was acting as a gateway or proxy and did not receive a timely response from the upstream server.
505HTTP Version Not SupportedThe server does not support the HTTP protocol version used in the request.
506506 Variant Also NegotiatesTransparent content negotiation for the request results in a circular reference.
507Insufficient StorageThe server is unable to store the representation needed to complete the request.
508Loop Detected
The server detected an infinite loop while processing the request (sent instead of 208 Already Reported).
510Not ExtendedFurther extensions to the request are required for the server to fulfil it.
511Network Authentication RequiredThe client needs to authenticate to gain network access. Intended for use by intercepting proxies used to control access to the network (e.g., “captive portals” used to require agreement to Terms of Service before granting full Internet access via a Wi-Fi hotspot).
Decline Codes

An unsuccessful response comprises both different HTTP status (400,401. 403, 405, 429, 500 and 503) a returnStatus.statusCode other than “000” and a returnStatus.StatusDescription associated with different error descriptions.

SIBS Stargate APIs uses a predefined status codes which addresses the potential reasons why an unsuccessful response occurred. The table below presents the different decline codes (statusCode), a description (StatusDescription) and the potential decline reason.

The table below contains the different status codes, corresponding descriptions, and suggested actions to resolve the errors.

statusCodeStatusDescriptionDecline ReasonSuggested action
E0101Invalid request, data is missing or is invalidThe data inserted for the transaction is not correct so the transaction could not be initiated or successfully concludedCheck that the data entered for the transaction is valid and accurate.
Ensure that details such as card information, customer information, and SEPA DD mandate data are correct.
E0102Invalid or missing data for the payment typeThe payment type and data could not be validatedCheck if payment data is correct (applicable for Blik and Cards).
E01033D Secure Authentication failed3DS authentication process was not successfully completed by the buyerThe terminal should have 3DS active and
card used during the transaction should also support 3DS.
E0104Amount limit exceededThe transaction amount (including SEPA DD mandate) does not meet the acceptance network limitsFor SEPA DD:
Verify the transaction limits imposed by the bank.
Ensure that SEPA Direct Debit is correctly setup.

Buyer’s to check BLIK account limits and balance.

For Cards:
Verify the transaction limits for the transaction.
E0105Authorized Payment – Invalid Payment methodThe merchant either lacks the available payment method or has not configured it correctly to process transactions.Verify through SIBS Backoffice that there is an available agreement for the selected payment method to ensure the transaction is successful.
E0106Invalid terminalThe requested transaction is not supported by the terminalReview, via SIBS Backoffice, the settings of the terminal which was used to perform the transaction.
E0107Authorized Payment UnknownThe payment authorization was unsuccessful, or its status is undeterminedRefer to SIBS Backoffice to check the transaction status.
E0108Invalid webhook configurationThe webhook settings were configured incorrectlyPlease check on SIBS Backoffice Webhook menu if the webhook settings are properly defined.
E0201Declined, recurring payment is deactivatedRecurring payment could be declined, deactivated, or not supported by the merchantPlease review the checkout details to verify the payment information.
Ensure all necessary payment fields are accurately completed, including card number, expiration date, CVV, billing address, and any other required information.
E0202Declined operationPayment is not accepted/declined, or fraud management system did not approve the transaction.Please contact SIBS to understand why the transaction was declined by the fraud detection system (applicable for Cards and BLIK).
E0301Merchant credentials errorFail getting the app credentials for the merchantEnsure the supplied credentials for the API calls are valid and if the issue persists communicate to SIBS support.
E0302No agreement foundInvalid agreement for a particular financial productVerify in the SIBS Backoffice menu that the financial agreements are correctly defined.
E0303Operation not supportedFailed to generate a transaction in a specific service (example: Link to Pay, Split Payout)Provide Transaction ID to SIBS support team to understand why the transaction is failing.
E0304Transaction already finalizedThe current transaction flow is already completed, a similar transaction could already be recently submittedConfirm on SIBS Backoffice the status of the transaction with a given transaction ID.
E0305Transaction not foundFailing to get the transaction information, the transaction ID should be checked.Confirm on SIBS Backoffice the status of the transaction.
E0306Wrong parameterization for the payment methodWrong parameterization in payment method (amount, expiration date, token, merchant code or terminal code)Check if there is any incorrect parameterization in the payment method, ensuring accuracy in fields such as amount, expiration date, token, merchant code, or terminal code.
E0307Wrong parameterization for the payment typeWrong parameterization in payment type (valid for Authorization, Purchase, Capture or Refund).Update the payment type parameterization to ensure it accurately corresponds to the intended function, whether it be Authorization, Purchase, Capture, or Refund.
E0900Invalid authentication or authorization DataToken creation failed due to invalid dataConfirm Token information data.
E0901Invalid acceptor, creditor, account, or mandate detailsSEPA DD Mandate was not properly configuredConfirm SEPA DD mandate settings.
E0902Invalid AmountThe payment amount is invalid, or exceeds the amount that’s allowedCheck SEPA DD token details.
E0903Invalid CurrencyThe terminal does not support or accepts the transaction currencyCheck SEPA DD token details.
E0904Invalid link to payIncorrect settings on Link to Pay (expired, duplicated or not active)Check on SIBS Backoffice, on Link to Pay menu, if the link settings are properly defined.
E0905Invalid Mandate dateThe due date for the SEPA Direct Debit Mandate exceeds 15 days, surpassing the time limit.Confirm SEPA DD mandate settings (date).
E0906Invalid merchant or terminal codeData for the amount, expiration date, token, merchant code or terminal code are not properly definedCheck on SIBS Backoffice if the merchant, store and terminal data are properly defined.
E0908Invalid settlement pointsSettlement points are either improperly defined or cannot be locatedCheck on both SIBS Backoffice and Checkout API if the settlement points setting are properly defined.
T999SIBS temporary errorAn internal error has occurred with the SIBS Gateway. Please reach out to support for assistance.Contact SIBS Support.
E999SIBS Internal ErrorAn internal error has occurred with the SIBS Gateway. Please reach out to support for assistance.Contact SIBS Support.

Code references

Codes serve as crucial identifiers in various domains, including the realm of payments.

Below you can find the ISO Codes used for:


ISO 3166-1 Alpha-2

For the onboarding API you should use the ISO 3166 Numeric Code.