NamoID Docs

Environments

Every project has isolated test and live environments. They're Stripe-style separations: fully isolated so you can build and test against NamoID without test sign-ups polluting your real user count or burning production OTP budget.

What's isolated

Each environment has its own:

  • Users — a test sign-up never appears in production.
  • Applications (OAuth/OIDC clients) and auth keys — with environment-encoded prefixes.
  • Issuer — a separate discovery document and JWKS.
  • OTP budget — a per-environment monthly spend cap on OTP sends.
  • Auth configuration — sign-in methods, MFA mode, access mode, branding.

Credential prefixes

Credentials carry their environment in the prefix, so you can tell at a glance which environment — and which type — a credential is:

CredentialTestLive
OAuth client IDidpc_test_…idpc_live_…
OAuth client secretidps_test_…idps_live_…
Auth publishable keynamoid_auth_pk_test_…namoid_auth_pk_live_…
Auth secret keynamoid_auth_sk_test_…namoid_auth_sk_live_…

Platform (tenant-scoped) secret keys are environment-independent and use namoid_platform_sk_…. They are for trusted automation — including AI agents that set up NamoID on behalf of a tenant — and the target environment is passed in the API route or request body. See API keys.

A test credential only works against the test issuer; pointing a test OAuth client at the live issuer is rejected at the token endpoint. This guard is what keeps a test key from ever touching live users.

OTP spend caps

Each environment has a monthly OTP spend limit (in USD). Sends reserve budget atomically before dispatch and refund it if delivery fails, so a runaway loop or an OTP-flood attack can't run up an unbounded bill. When the cap is reached, further sends in that environment are blocked until the next cycle.

Promoting to live

You build against test, then promote. The dashboard surfaces a promote-to-live flow that shows a diff of the auth configuration between environments before you apply it to live, so going live is a reviewed, deliberate step rather than accidental drift. Credentials and users do not copy across — only configuration — so live starts clean.

Choosing the right environment while integrating

Use the env switcher in the dashboard to select test while wiring up your app, and set your app's NAMOID_ISSUER + client credentials to the test values. When you're ready, create live credentials, point your production deployment at the live issuer, and promote your auth config.