All requests to the API must be performed over SSL.

While the production endpoint has an SSL certificate signed by a certificate authority (CA), the certificate in use in the sandbox environment is self-signed. This doesn't affect the security of the data being transferred, but keep it in mind if you're trying to verify the certificate.