Once a sandbox is running, how does your app actually send its calls to us instead of the real vendor? The answer is deliberately boring: you change the base URL. Nothing intercepts traffic.

Change the address, not the request

An API call is just an HTTPS request to a base URL baked into the SDK. stripe.charges.create(...) becomes POST https://api.stripe.com/v1/charges. That base URL is the only thing tying the call to the vendor’s servers — the path, headers, body, and key are just data riding along. So we don’t intercept in the wiretap sense. We point the SDK’s base URL at the sandbox, and every call arrives at us instead, byte-for-byte unchanged: 
const stripe = new Stripe(PRODBREAK_KEY, {
  host: PRODBREAK_URL,            // http://localhost:8801 locally, or a hosted URL
});
Because your app willingly connects to our host, HTTPS just works with a normal certificate — no MITM proxy, no custom CA to install. In a test, the fixture does this for you: sandbox.client() returns the SDK already pointed and keyed.
The instance key authenticates you to one world — it does not select among worlds (there’s only one per instance). A wrong key is a 401. See Worlds.

Why armed faults are the lever

This is the most important consequence of “change the address.” Because the request rides in unmodified, any control that has to travel inside the request only works when your test code makes the call directly. The headline use case — point your unmodified app at the sandbox and run its real code path — can only be steered from out of band.
MechanismTest makes the callUnmodified app makes the call
Armed fault (sandbox.faults.arm)✅ — out-of-band, always reachable
Scenario header (X-Mock-Scenario)❌ — your app won’t add the header
Magic input value⚠️ — only if the app happens to send it
Takeaway: when you’re testing your app’s real code path, reach for armed faults. Headers and magic values are for fixture-style scaffolding from inside test code.

When base-URL override isn’t enough

Almost every modern SDK exposes a base-URL option or env var, so this is the default and covers the common case. For the rare app that hardcodes the vendor host with no override, ProdBreak has a spectrum of lower-level options — DNS override + local CA, an HTTP(S) proxy, or a Docker-network gateway for CI.
These lower layers are post-MVP. If your SDK can’t be repointed, get in touch — but for every SDK we’ve checked, the one-line base-URL change is all you need.