HomeGuidesRecipesAPI ReferenceChangelog
Log In
Changelog
Start typing to search…
Back to All

SANDBOX - v2.3.6 - 2026-02-25

17 days ago by Marc Cimiotta Ferrando

This Sandbox release expands fiat offramp coverage, re-enables USD offramps with updated beneficiary requirements, and introduces stricter SIWE validation rules to improve authentication reliability and security. Webhook payload visibility has also been enhanced.

✨ What’s New

  • 🔐 Stricter SIWE message validation enforced
  • 🇵🇰 PKR offramps now available
  • 🇺🇸 USD offramps re-enabled
    • 📝 Additional information now required when creating USD beneficiaries
  • 📬 account_name now returned in cryptoToFiat webhooks

🔐 SIWE Message Enforcement Updates

We’ve tightened validation of Sign-In With Ethereum (SIWE) messages to ensure full compliance and improve security. Please review the following requirements:

📝 General format

  • SIWE message must be a valid EIP-4361 string.

⛓️ Chain ID

  • chainId must match the environment (stage) you are using.
  • ⚠️ Do not send production chain IDs (e.g., 1, 137, 56) when calling Sandbox endpoints.

🏦 Domain

  • Domain must match the API environment:
    • Production: api.getunblock.com OR api.bakkt.com
    • Sandbox: sandbox.getunblock.com OR sandbox.api.bakkt.com
  • ⚠️ Any other domain will be rejected with a detailed error.

🌍 URI

  • uri must be:
const uri = `https://${siweMessage.domain}/auth/login`

where siweMessage.domain is one of the allowed domains for the selected stage.

Required time fields

  • SIWE message must include:
    • issuedAt
    • expirationTime

Time validity rules

  • Message validity window must not exceed 4 hours.
  • Message must not be expired at verification time.
  • issuedAt must not be in the future.
  • notBefore is optional:
    • If present, the message must not be used before the specified time.

✍️ Signature requirements

  • Message must be signed by the address specified in the SIWE message

OR

  • By a smart contract wallet compliant with EIP-1271, where:
    • isValidSignature is implemented, and
    • it returns 0x1626ba7e (EIP-1271 magic value) for the provided message + signature pair.

⚠️ Please verify and update if needed your SIWE generation and signing logic accordingly to avoid authentication failures.

🇵🇰 PKR Offramps Now Available

Offramps to Pakistani Rupee (PKR) are now supported in Sandbox.

Users can convert crypto to PKR and withdraw to supported Pakistani bank accounts, expanding remittance coverage across South Asia.

🇺🇸 USD Offramps Re-Enabled

USD offramp flows are now turned back on in Sandbox.

Users can convert crypto to USD and withdraw to US bank accounts via ACH.

Important Update: Additional Beneficiary Information Required

Creating USD beneficiaries now requires additional information compared to previous versions. Requests that do not include the newly required data will be rejected. Please review the updated API documentation before testing or moving to production.

📬 Webhook Improvements

account_name Now Included in cryptoToFiat Webhooks

The account_name field is now included in the cryptoToFiat webhook payload under beneficiaryDetails.accountDetails.

This improves beneficiary visibility and helps merchants with reconciliation and payout confirmation.

🔮 What’s Next

We’re actively working on expanding payout coverage to:

  • 🇨🇴 Colombia — COP
  • 🇰🇪 Kenya — KES
  • 🇬🇭 Ghana — GHS
  • 🇯🇵 Japan — JPY

🔐 Ongoing Compliance Improvements

We’re continuing internal work to improve fraud detection, monitoring, and compliance capabilities. These enhancements are largely behind the scenes but strengthen system reliability and long-term merchant protections.