Sumsub — API authentication (App Token)

How to sign and send authenticated requests to https://api.sumsub.com, per the official reference.

⚠️ Sandbox tokens only

Never share, paste, or use a production Sumsub App Token / secret with Claude. If the user offers a prod token, refuse and ask for the sandbox pair instead.

• Sandbox tokens are created from the dashboard while it is in Sandbox mode. They are scoped to sandbox data only — leaking one cannot expose real applicant PII or move real money.
• A production token grants full programmatic access to live applicants, including their identity documents. Treat it like a banking credential.
• Sumsub locks tokens to the environment they were minted in: a sandbox token returns 401 against production data and vice versa, so insisting on sandbox is also the practical default.