Skip to content

Going Live Checklist

Work through this checklist before going live to avoid common issues in production.

Account

  • Your account balance is sufficient to cover expected initial order volume
  • Auto top-up is configured so you don’t run out of credit unexpectedly
  • Balance alerts are enabled in Settings → Notifications
  • Two-factor authentication (2FA) is enabled on your portal account

Authentication & security

  • Your API key is stored as an environment variable — not hardcoded in your codebase
  • Your API key is not committed to source control
  • If your integration runs from a fixed IP or server, IP whitelisting is configured
  • You have a plan for rotating your API key if it is ever exposed

Ordering

  • Bundle names used in orders are confirmed to be correct — they are case sensitive
  • ICCIDs returned from orders are stored against the corresponding user or account in your system
  • Your chosen QR code delivery method is implemented and tested end-to-end with a real device

Error handling

  • 400 responses are handled — your code surfaces the message field to aid debugging
  • 403 responses are handled — covering both invalid API key and IP whitelist rejections
  • 429 responses are handled — your code respects the Retry-After header before retrying
  • 500 responses are handled gracefully and logged for investigation

Webhooks

  • A callback URL is configured in the portal (Account Settings → API Details)
  • Callback version is set to V3
  • HMAC signature verification is implemented — callbacks without a valid signature are rejected
  • Your endpoint returns a 2xx response promptly for all callback types
  • You have tested receipt of at least one real webhook event (e.g. a usage notification)
  • esim.deletion_scheduled events are handled — you have a process for deciding whether to reactivate or allow deletion