Skip to main content
Use this checklist before moving real payment volume through the merchant API.

Credentials

  • Create production API credentials in the merchant dashboard.
  • Store X-Api-Secret in a secret manager.
  • Confirm secrets are not exposed in browser, mobile, logs, analytics, or public repositories.
  • Document the credential rotation process.

Payment flows

  • Store all resource IDs returned by create responses.
  • Use a unique Idempotency-Key for every distinct create request.
  • Confirm quote expiry handling creates a fresh quote.
  • Confirm payin, payout, and transfer records can move from pending to final status.
  • Confirm your merchant account has the required operators and corridors enabled.

Webhooks

  • Configure production webhook endpoints.
  • Verify X-Bumxpress-Signature before processing events.
  • Process duplicate webhook deliveries idempotently.
  • Reconcile missed events with GET endpoints.
  • Return 2xx only after accepting an event.

Operations

  • Add internal dashboards or logs for customer, quote, payment, transfer, and webhook IDs.
  • Define support procedures for pending, failed, and duplicate-looking payments.
  • Monitor API error rates and webhook delivery failures.
Last modified on July 8, 2026