Using WSO2 Api-M On-Prem v3.1.0.
I have set up an API in Publisher with different endpoints for Production and Sandbox. Using API Key as Application Level Security. Enabled Security for my GET resource.
In DevPortal I created an Application and set up an subscription for my API. Generated Sandbox API Key and used "Try Out" in DevPortal. I can select Key Type "Production" and enter my Sandbox Key, I get OK response from Production endpoint.
If I change Key Type to Sandbox, I still get response from Production endpoint. I see in http_access_.YYYY-MM-DD log that both requests are sent to my production endpoint.
Why isn't my request sent to Sandbox when I use Sandbox API-Key as described in documentation: