Going live
Before switching your integration from sandbox to production, run through this checklist.
API keys
- Create an
idv_live_*key at Developers → API keys (separate from your sandbox key) - Store the live secret in your secrets manager, not in source control
- Rotate old keys — revoke any unused sandbox keys
Webhook endpoints
- Add your production webhook URL at Developers → Webhooks — it must be HTTPS
- Copy the signing secret into your production secret store
- Test it with the Send test event button; confirm your service responds
2xxwithin 10 seconds - Ensure your endpoint tolerates duplicate deliveries (idempotent on
eventId) - Ensure your code tolerates unknown event types and unknown fields
Error handling
- Exponential backoff on 5xx and 429
-
Idempotency-Keyheader on all POST retries - Timeout on outbound requests to Idova (recommend 15s)
Compliance
- Add "Powered by Idova" (optional, case-by-case based on your plan)
- Privacy policy mentions applicant data flows through Idova
- Store Idova's
resourceIdandpublicIdalongside your own user records for traceability
Monitoring
- Alert on webhook delivery failures (watch the dashboard Deliveries page)
- Alert on your inbound /v1/* error rate
- Log every webhook
eventId+ response time for debugging
Rollout
- Dual-run sandbox and live for the first 24 hours; compare outcomes
- Have a kill-switch that falls back to manual review if Idova calls fail for > 5 minutes
That's it — when all boxes are checked, flip the environment config in your app and you're live.
