Test before production

Validate AI-generated Veracity integration code against development credentials and sandbox environments before requesting production approval.

Validate AI-generated authentication flows, API calls, and access control logic against Veracity development credentials and sandbox environments before you request production approval, so defects surface during development rather than in a live context.

An AI agent (a program such as Cursor, GitHub Copilot, or Claude Code that uses an LLM to read your code, run commands, and call APIs) generates integration code from training data. That code may produce syntactically valid calls that fail silently against Veracity's OAuth flows, return incorrect access decisions, or behave differently under production credential constraints. Testing in the Veracity development environment catches these issues at low cost before they affect real data or real users.

Before you start

You need:

  • A Veracity developer account with development credentials registered in the Veracity developer portal
  • A registered test application with a client ID and client secret scoped to the development environment
  • The Veracity Development MCP Server configured in your agent so it can retrieve current endpoint and authentication documentation

Set up a development test environment

  1. Register a separate application in the Veracity developer portal for development testing. Do not reuse production credentials for AI-assisted development. Development and production credentials operate against the same identity provider but are scoped separately, which prevents test traffic from affecting production audit logs.

  2. Confirm the redirect URI for your development application matches the URI your AI-generated authentication flow uses. AI agents commonly generate OAuth redirect URIs from generic patterns that do not match the registered URI. Check the generated value before running any authentication test.

  3. Store your development client ID and client secret as environment variables, following the guidance in Secure credentials. Do not paste credentials into your agent's chat or prompt context.

Test authentication flows

  1. Run the AI-generated token acquisition flow against your development credentials and confirm you receive a valid access token. Check that the token audience, scopes, and expiry are correct for your application's requirements.

    # Confirm the token contains the expected scope
# Decode the JWT payload and inspect the 'scp' claim

  2. Test the token refresh flow explicitly. AI-generated OAuth implementations commonly handle initial token acquisition but omit refresh logic or implement it incorrectly. Trigger a token expiry in your test environment and confirm the integration renews the token without requiring re-authentication.

  3. Test failure cases as well as the success path. Confirm that the integration returns an appropriate error when:

    • credentials are invalid
    • the requested scope is not granted
    • the token has expired and refresh fails

Test API calls and access control

  1. Run each AI-generated API call against your development environment and confirm the response matches the schema documented in the Veracity Development MCP Server. If the response differs, ask your agent to retrieve the current documentation and regenerate the call.

  2. Test access control logic with a restricted account. Create or configure a test user with a role that should not have access to a specific resource, then confirm the integration correctly denies access. AI-generated permission checks are frequently incomplete. they check for the presence of a role but not for its scope within the tenant or workspace.

  3. Confirm that the integration handles HTTP 403 and HTTP 401 responses distinctly. A 401 means the token is invalid or expired; a 403 means the authenticated caller does not have permission. AI-generated error handling often treats both as authentication failures, which hides authorisation defects.

Request production approval

  1. Once all tests pass against development credentials, review the Veracity developer portal documentation for the production approval process. Production access for applications accessing regulated data or cross-tenant resources requires a separate review step.

  2. Do not promote AI-generated code to production without a human review of the authentication and access control logic. Use the Verify generated code guide to check the implementation against current official documentation before submitting for production approval.

Limitations

  • Veracity development credentials and production credentials share the same identity provider but may differ in available scopes and resource access. A flow that works in development may require additional permission grants before it works in production.
  • The development environment does not replicate all production data shapes or volume. Test for correctness, not performance.
  • AI agents cannot run authenticated tests on your behalf without access to your credentials. All tests described here must be executed by you in your own development environment.