Skip to main content

Go-Live Checklist

Before switching from test mode to live mode, verify each item below. This checklist covers the most common integration issues we see.

API integration

  • Use live API keys — Replace fl_test_sk_ keys with fl_live_sk_ keys. Never hardcode keys; use environment variables.
  • Set Idempotency-Key on all POST requests — This prevents duplicate charges on retries. Use deterministic keys tied to your order ID (e.g., payment-order-1234).
  • Store payment.id — Save the Flowlix payment ID (pay_xxx) in your database linked to the order. You need it for refunds and support queries.
  • Amounts in minor units4999 means EUR 49.99. Double-check your amount calculations, especially for currencies with different decimal places.

Error handling

  • Handle all error types — Not just card_error. Also handle invalid_request_error, authentication_error, rate_limit_error, and api_error.
  • Show friendly decline messages — Map decline_code to customer-friendly messages. See Decline Codes for guidance.
  • Retry on 5xx errors — Server errors are transient. Retry with exponential backoff (1s, 2s, 4s). Always include the same Idempotency-Key.
  • Don’t retry on 4xx errors — Client errors (except 429) mean the request itself is wrong. Fix the request before retrying.
  • Respect rate limits — Handle 429 responses using the Retry-After header. See Rate Limits.

Security

  • Secret keys server-side only — Never expose fl_live_sk_ keys in client-side code, mobile apps, or logs.
  • Use HTTPS everywhere — All API calls must use HTTPS. The API rejects plain HTTP.
  • Validate webhooks (when available) — Verify webhook signatures to prevent spoofed events.
  • Never log card numbers — Only use card.last4 from the response. Full PANs must never touch your logs.
  • PCI DSS compliance — If you use the Direct API (card data in request body), your systems are in PCI DSS scope. Use the Hosted Payment Page to reduce scope.

Testing

  • Test all payment scenarios — Success, decline (insufficient funds, expired card, generic decline), refund.
  • Test idempotency — Send the same request twice with the same Idempotency-Key and verify you get the same response.
  • Test error handling — Use test cards to simulate declines and verify your error messages.
  • Test HPP redirect flow (if applicable) — Verify the full redirect cycle: create session, redirect to HPP, handle callback, verify status server-side.

Monitoring

  • Log request_id — Store the Flowlix-Request-Id from every API response. Include it when contacting support.
  • Monitor decline rates — A sudden spike in declines may indicate an issue with your integration or fraud.
  • Set up alerts — Alert on 5xx error rates, high decline rates, and rate limit hits.

When you’re ready

  1. Obtain your live API key from the Flowlix Dashboard.
  2. Set the live key in your production environment variables.
  3. Make a small test payment with a real card to verify the integration end-to-end.
  4. Monitor the first few transactions closely.
Need help going live? Contact developers@flowlix.eu and we’ll review your integration.