Can you expand on this further? You’re using a sandbox to “spoof” authentication by intercepting the auth token to a web browser? You use the agent-sdk which is fine but youre supposed to ONLY use that via api I thought?