> ## Documentation Index
> Fetch the complete documentation index at: https://docs.reap.global/llms.txt
> Use this file to discover all available pages before exploring further.

# Setup and Testing

> Register your authorization endpoint and exercise it end to end in sandbox.

## Registering your authorization endpoint

Your authorization endpoint is a webhook registered in `REQUEST` mode. Call [Create a webhook endpoint](/api-reference/webhooks/create-webhook-endpoint) with an HTTPS `url` and `mode` set to `REQUEST`. The response returns a `signingSecret` once. Store it - you need it to [verify request signatures](/webhooks/signature-verification).

* **One per project.** Registering a second `REQUEST` endpoint returns a `409`. To change the URL, update it in place.
* **Rotate-only.** You can rotate the URL and signing secret, but the endpoint cannot be disabled or deleted, so your card program always has a live authorization endpoint.
* **Signed.** Requests are signed with the same scheme as your other webhooks - [verify the signature](/webhooks/signature-verification) before trusting a payload.
* **Required before issuing cards.** In an External project, [card creation](/cards/overview) fails until this endpoint is registered. This guarantees every card in the program has a live decision endpoint behind it.

The authorization endpoint is separate from your notification webhooks. It receives only `CARD_AUTHORIZATION_REQUEST` and never the asynchronous event stream. Register your notification endpoints separately to receive the [transaction lifecycle](/transactions/external-authorization/reconciliation) you reconcile against.

## Testing in sandbox

In a sandbox External project, [Simulate authorization](/api-reference/simulation/simulate-authorization) fires a real signed `CARD_AUTHORIZATION_REQUEST` to your registered endpoint and authorizes based on the decision you return, so you can exercise your decisioning end to end - signature verification, your balance check, and the approve/decline response.

A full run-through, including the follow-on lifecycle webhooks you reconcile against, is in [Testing in Sandbox](/transactions/testing-in-sandbox#scenario-5-external-authorization).
