You will receive client-id and client-secret for sandbox and production environments. In both sandbox and production, you have the same client-id, but the client-secret is not the same in sandbox and in production.
Once you've tested in sandbox environment, you'll receive client-id and client-secret for production in a password protected zip file. That is the only thing you need to go through the OpenID processes.
You will only need to administrate the following:
- 1 client-secret for sandbox
- 1 client-secret for production
- The same client-id for both environments
Once the access token expires, then you can use the refresh token to obtain a new access token. You can do this without merchant involvement. The refresh token expires after 13 months.
You get a new refresh token through the following endpoint: