Go-Live Checklist Fresh
Use this checklist when taking your integration live. Stripe's sandbox and live environments function as similarly as possible — switching between them is mostly a matter of swapping API keys.
API configuration
[ ] Set the API version — Upgrade to the latest API version in Workbench within the Dashboard
- For dynamic languages (Node.js, PHP, Python, Ruby): set the API version in the server-side library
- For strongly typed languages (Go, Java, TypeScript, .NET): upgrade to the latest library version
[ ] Rotate and secure API keys — Before going live:
- Rotate your keys in case they've been saved somewhere during development
- Confirm no API keys are committed to your codebase or config files
- Store live secret keys in a secrets vault or environment variables
Integration quality
[ ] Handle edge cases — Test your integration with:
- Incomplete data
- Invalid data
- Duplicate data (retry the same request to see what happens)
- Have someone outside your team test the integration
[ ] Review your API error handling — Ensure your code handles every possible error type:
card_error— customer-facing (card declined, wrong CVC, etc.)invalid_request_error— bad API call from your serverapi_error— Stripe-side issue, retry with backoffauthentication_error— wrong API keyrate_limit_error— slow down and retry
[ ] Review your logging — Stripe logs all requests in the Dashboard. Also maintain your own logs for backup. Never log sensitive card data or PII.
Test object migration
- [ ] Ensure you're not relying on test objects — Stripe objects created in sandbox (Products, Prices, Coupons, Customers) aren't usable in live mode. Re-create necessary objects in live mode with the same IDs to ensure code compatibility.
Webhooks
- [ ] Register production webhooks — Test webhooks don't fire in live mode. Create live webhook endpoints:
- Confirm the live endpoint functions identically to your test endpoint
- Handle delayed webhook notifications (Stripe may retry for hours)
- Handle duplicate webhook notifications (idempotency required)
- Don't assume events arrive in a specific order
Security
- [ ] Use HTTPS — All pages collecting payment information must use TLS 1.2+
- [ ] Verify webhook signatures — Use the signing secret to verify every incoming webhook
Going live
Replace test keys with live keys everywhere:
bash
# Test (sandbox)
STRIPE_SECRET_KEY=sk_test_...
STRIPE_PUBLISHABLE_KEY=pk_test_...
# Live
STRIPE_SECRET_KEY=sk_live_...
STRIPE_PUBLISHABLE_KEY=pk_live_...Never mix test and live keys in the same environment.
Post-launch monitoring
- Subscribe to API announcements to keep up with new features and deprecations
- Monitor the Stripe Dashboard Logs section regularly
- Set up alerts for spike in failed payments, disputes, or error rates