You will receive client-id and client-secret for sandbox and production. In both sandbox and production, you have the same client-id, but the client-secret is not the same in sandbox and in production.
Once you've tested in sandbox environment, you'll receive client-secret for production in a locked zip file. That is the only thing you need.
You will only need to administrate the following:
- 1 client-secret for sandbox
- 1 client-secret for production
- the same client-id for both environments
Once the access token expires, then you can use the refresh token to obtain a new access token. You can do this without merchant involvement. The refresh token expires after 1 year.
You get a new refresh token through the following endpoint