PayMongo HomeGuidesAPI ReferenceStart Building
Guides
Start typing to search…

Go-live Checklist

Requirements and checks to complete before switching from test keys to live keys.

Before you start accepting real payments, go through this checklist. Every item here is either a hard requirement or a strong best practice.

Account Requirements

  • Account verified — complete identity verification in Settings → Business Information on the dashboard
  • Business details filled in — legal name, address, and business type are required before live mode is enabled
  • Bank account linked — required to receive settlements; add it in Settings → Bank Accounts
  • Live mode enabled — contact PayMongo support if live mode isn't yet unlocked on your account

Code and Integration

  • Switch to live API keys — replace all sk_test_ and pk_test_ keys with your sk_live_ and pk_live_ keys
  • Keys stored securely — live secret keys must never be in client-side code, version control, or build artifacts; use environment variables or a secrets manager
  • HTTPS enforced — all API calls and your return_url must use HTTPS; HTTP is not permitted in live mode
  • Webhook endpoint deployed — your webhook listener is running and reachable in production
  • Webhook secret validated — verify the x-paymongo-signature header on all incoming webhook events
  • Error handling implemented — your app handles payment_failed, network errors, and webhook retries gracefully
  • Idempotency handled — avoid double-charging by checking payment status before retrying requests

Payment Flow

  • All payment methods tested — you've tested every method you'll offer (card, GCash, Maya, etc.) end-to-end in test mode
  • 3DS flow tested — if accepting cards, confirm your app handles the 3DS redirect and return_url correctly
  • Refund flow tested — you've verified refunds work and are handled in your app
  • Success and failure states handled — your UI clearly communicates payment success, failure, and pending states to the user

Operational Readiness

  • Monitoring set up — you have alerting for payment failures, webhook delivery failures, or API errors
  • Customer support flow — your team knows how to handle payment disputes and refund requests
  • PCI compliance reviewed — if you're handling raw card data, review your PCI DSS obligations; using Payment Intents with PayMongo's hosted fields reduces your scope

All boxes checked? Switch your keys to sk_live_ and pk_live_, deploy, and you're live.

📘

Questions about account verification or live mode eligibility? Contact [email protected] or visit the Help Center.

Updated 6 days ago