← All docs

Going Live

Going live

Before switching your integration from sandbox to production, run through this checklist.

API keys

  • Create an idv_live_* key at Developers → API keys (separate from your sandbox key)
  • Store the live secret in your secrets manager, not in source control
  • Rotate old keys — revoke any unused sandbox keys

Webhook endpoints

  • Add your production webhook URL at Developers → Webhooks — it must be HTTPS
  • Copy the signing secret into your production secret store
  • Test it with the Send test event button; confirm your service responds 2xx within 10 seconds
  • Ensure your endpoint tolerates duplicate deliveries (idempotent on eventId)
  • Ensure your code tolerates unknown event types and unknown fields

Error handling

  • Exponential backoff on 5xx and 429
  • Idempotency-Key header on all POST retries
  • Timeout on outbound requests to Idova (recommend 15s)

Compliance

  • Add "Powered by Idova" (optional, case-by-case based on your plan)
  • Privacy policy mentions applicant data flows through Idova
  • Store Idova's resourceId and publicId alongside your own user records for traceability

Monitoring

  • Alert on webhook delivery failures (watch the dashboard Deliveries page)
  • Alert on your inbound /v1/* error rate
  • Log every webhook eventId + response time for debugging

Rollout

  • Dual-run sandbox and live for the first 24 hours; compare outcomes
  • Have a kill-switch that falls back to manual review if Idova calls fail for > 5 minutes

That's it — when all boxes are checked, flip the environment config in your app and you're live.