When your integration is working in sandbox, use this checklist to prepare for your production launch.
- Production credentials — Request production credentials from your account manager. Sandbox credentials do not work in production.
- Secrets storage —
client_secretand webhook secrets are stored in a secrets manager (not in code or hardcoded environment variables). - Server-side calls — All API calls are made from your backend. No credentials are exposed on the frontend.
- Planned rotation — Define a process for credential rotation every 90 days.
- Idempotency on POSTs — The SDKs automatically generate an
Idempotency-Keyon everyPOSTrequest, ensuring safety on retries. If using cURL/HTTP directly, include the header manually. - Retry with backoff —
429and500errors are retried with exponential backoff and jitter. The SDKs handle this automatically. - 401 handling — Your client automatically renews the token upon receiving a
401with codetoken_expired. - Validation errors —
422errors are handled by displaying theerrorsarray to the user (field + message).
- Signature verification — Every webhook delivery is verified with HMAC-SHA256 before processing. See Webhooks.
- Handler idempotency — Your handler uses
webhook-idas a deduplication key. The same event may be delivered more than once. - Fast response — The handler returns
200within 5 seconds and processes the event asynchronously. - Replay protection — Webhooks with a
webhook-timestampolder than 5 minutes are rejected.
- Error alerts — Monitor
5xxresponses and webhook failures. - Rate limit tracking — Monitor the
X-RateLimit-Remainingheaders to avoid throttling. - Customer status — Track customers stuck in
pending_kycorunder_reviewfor excessive periods.
| Environment | Base URL |
|---|---|
| Sandbox | https://sandbox.api.dinie.com.br/v3 |
| Production | https://api.dinie.com.br/v3 |
Update the base URL and credentials. The API is identical in both environments.
- Email: api@dinie.com.br
- Status: status.dinie.com.br