Skip to content

Go-Live Checklist Fresh

Use this checklist when taking your integration live. Stripe's sandbox and live environments function as similarly as possible — switching between them is mostly a matter of swapping API keys.

API configuration

  • [ ] Set the API version — Upgrade to the latest API version in Workbench within the Dashboard

    • For dynamic languages (Node.js, PHP, Python, Ruby): set the API version in the server-side library
    • For strongly typed languages (Go, Java, TypeScript, .NET): upgrade to the latest library version
  • [ ] Rotate and secure API keys — Before going live:

    • Rotate your keys in case they've been saved somewhere during development
    • Confirm no API keys are committed to your codebase or config files
    • Store live secret keys in a secrets vault or environment variables

Integration quality

  • [ ] Handle edge cases — Test your integration with:

    • Incomplete data
    • Invalid data
    • Duplicate data (retry the same request to see what happens)
    • Have someone outside your team test the integration
  • [ ] Review your API error handling — Ensure your code handles every possible error type:

    • card_error — customer-facing (card declined, wrong CVC, etc.)
    • invalid_request_error — bad API call from your server
    • api_error — Stripe-side issue, retry with backoff
    • authentication_error — wrong API key
    • rate_limit_error — slow down and retry
  • [ ] Review your logging — Stripe logs all requests in the Dashboard. Also maintain your own logs for backup. Never log sensitive card data or PII.

Test object migration

  • [ ] Ensure you're not relying on test objects — Stripe objects created in sandbox (Products, Prices, Coupons, Customers) aren't usable in live mode. Re-create necessary objects in live mode with the same IDs to ensure code compatibility.

Webhooks

  • [ ] Register production webhooks — Test webhooks don't fire in live mode. Create live webhook endpoints:
    • Confirm the live endpoint functions identically to your test endpoint
    • Handle delayed webhook notifications (Stripe may retry for hours)
    • Handle duplicate webhook notifications (idempotency required)
    • Don't assume events arrive in a specific order

Security

  • [ ] Use HTTPS — All pages collecting payment information must use TLS 1.2+
  • [ ] Verify webhook signatures — Use the signing secret to verify every incoming webhook

Going live

Replace test keys with live keys everywhere:

bash
# Test (sandbox)
STRIPE_SECRET_KEY=sk_test_...
STRIPE_PUBLISHABLE_KEY=pk_test_...

# Live
STRIPE_SECRET_KEY=sk_live_...
STRIPE_PUBLISHABLE_KEY=pk_live_...

Never mix test and live keys in the same environment.

Post-launch monitoring

  • Subscribe to API announcements to keep up with new features and deprecations
  • Monitor the Stripe Dashboard Logs section regularly
  • Set up alerts for spike in failed payments, disputes, or error rates

Stripe API Reference - Self-contained docs reference, refreshed 2026-05-18