Submit a sandbox access request
Records a developer’s sandbox sign-up. The portal calls this
immediately after the WorkOS sign-up flow completes; the request
is HMAC-signed with the shared bootstrap secret
(X-Portal-Bootstrap-Signature header), so the embedded
workos_user_id is trusted without an additional JWT round-trip.
The endpoint:
- Verifies the Cloudflare Turnstile token against the canonical
https://challenges.cloudflare.com/turnstile/v0/siteverifyendpoint usingTURNSTILE_SECRET_KEY. - Normalizes the email (strip
+tag, gmail dot-stripping) and rejects when the source IP exceeds 3 sign-ups in 24h or the email domain exceeds 10 in 24h. - Inserts a
v3.access_requestrow withstatus=PENDINGandenvironment=SANDBOX.
Feature-flagged behind ledgersync.v3.portal-gating.enabled;
with the flag off, returns 503.
Headers
Hex HMAC-SHA256 of the raw request body (or, for the GET
status endpoint, of the X-Portal-Workos-User-Id header
value) computed with the shared portal bootstrap secret.
Body
The WorkOS user id of the signed-in developer.
255128128255ISO 3166-1 alpha-2 country code, e.g. US.
2Cloudflare Turnstile token from the portal widget.
Free-text "what are you building" summary.
2000Source IP captured by the portal (used for rate-limiting).
