Step 5 of 5 · ~15 min

Go Live Checklist

Before switching your integration to use live keys, every item on this checklist should be complete. Check off each item as you confirm it in your codebase.

Security — blocking issues

Secret key is in a secrets manager or environment variable — not hardcoded, not in version control
Webhook signature is verified on every inbound request — using timingSafeEqual / compare_digest (timing-safe comparison)
Publishable key only in client-side code — secret key never sent to browser or mobile app
API keys are different per environment — sk_test_ in dev/staging, sk_live_ in production only

Reliability — required for production

Idempotency key on every transfer creation — using UUID v4 generated once per business operation, not per retry
Idempotent webhook handler — processing the same event ID twice does not cause duplicate side effects
Retry logic for 5xx errors — with exponential backoff and jitter (max 3 retries)
Webhook returns 200 before processing — heavy work is done after responding, not before

Idempotency key lifecycle

Generate the key once per business operation (e.g., "pay invoice #1234"). Store it with the record. If you need to retry the API call, reuse the same key — the API will return the original response instead of creating a duplicate transfer.

Error handling

HTTP Status	Error type	Action
400	Validation error	Fix request params — do not retry
401	Auth failure	Check API key — do not retry
422	Business rule violation	Log and surface to user — do not retry
429	Rate limit	Retry after `Retry-After` header value
503	Service unavailable	Retry with exponential backoff

Application handles transfer.returned webhook — notifies appropriate party, updates records
Rate limit errors (429) handled with backoff, not immediate retry loops
Network timeout is set (recommended: 30s) — no indefinite waits

Compliance & regulatory

KYB (Know Your Business) review completed — live key is enabled in dashboard
ACH authorization language obtained from end-user before initiating debit
Transfer descriptions are accurate and non-misleading — required by NACHA rule
Debit authorization records stored for minimum 2 years per NACHA requirements

ACH debit authorization is required by law

Before debiting a bank account, you must obtain written or electronic authorization from the account holder. This must include the amount, frequency, and cancellation terms. NACHA Regulation E requirements apply.

Key rotation policy

Document and implement a key rotation process before going live — not after your first incident.

Zero-downtime rotation procedure documented: generate new key → update secrets manager → deploy → verify → revoke old key
Rotation schedule set: every 90 days minimum, immediately after any employee departure with key access
Alert configured for unexpected API key usage outside normal patterns

Final pre-launch confirmation

All items above are checked
Code reviewed by a second engineer
Integration tested end-to-end in sandbox with all ACH return code scenarios
Production sk_live_ key loaded and ping returns {"environment": "live"}

← Step 4