# Going to Production

When your integration is working in sandbox, use this checklist to prepare for your production launch.

## Production Checklist

### Credentials and Security

- [ ] **Production credentials** — Request production credentials from your account manager. Sandbox credentials do not work in production.
- [ ] **Secrets storage** — `client_secret` and webhook secrets are stored in a secrets manager (not in code or hardcoded environment variables).
- [ ] **Server-side calls** — All API calls are made from your backend. No credentials are exposed on the frontend.
- [ ] **Planned rotation** — Define a process for [credential rotation](/apis/concepts/authentication#gerenciamento-de-credenciais) every 90 days.


### Resilience

- [ ] **Idempotency on POSTs** — The SDKs automatically generate an `Idempotency-Key` on every `POST` request, ensuring safety on retries. If using cURL/HTTP directly, include the header manually.
- [ ] **Retry with backoff** — `429` and `500` errors are retried with exponential backoff and jitter. The SDKs handle this automatically.
- [ ] **401 handling** — Your client automatically renews the token upon receiving a `401` with code `token_expired`.
- [ ] **Validation errors** — `422` errors are handled by displaying the `errors` array to the user (field + message).


### Webhooks

- [ ] **Signature verification** — Every webhook delivery is verified with HMAC-SHA256 before processing. See [Webhooks](/apis/concepts/webhooks#verifica%C3%A7%C3%A3o-manual-de-assinatura).
- [ ] **Handler idempotency** — Your handler uses `webhook-id` as a deduplication key. The same event may be delivered more than once.
- [ ] **Fast response** — The handler returns `200` within 5 seconds and processes the event asynchronously.
- [ ] **Replay protection** — Webhooks with a `webhook-timestamp` older than 5 minutes are rejected.


### Monitoring

- [ ] **Error alerts** — Monitor `5xx` responses and webhook failures.
- [ ] **Rate limit tracking** — Monitor the `X-RateLimit-Remaining` headers to avoid throttling.
- [ ] **Customer status** — Track customers stuck in `pending_kyc` or `under_review` for excessive periods.


## Production URLs

| Environment | Base URL |
|  --- | --- |
| Sandbox | `https://sandbox.api.dinie.com.br/v3` |
| **Production** | `https://api.dinie.com.br/v3` |


Update the base URL and credentials. The API is identical in both environments.

## Support

- **Email:** api@dinie.com.br
- **Status:** [status.dinie.com.br](https://status.dinie.com.br)