Use this checklist before moving real payment volume through the merchant API.
Credentials
- Create production API credentials in the merchant dashboard.
- Store
X-Api-Secret in a secret manager.
- Confirm secrets are not exposed in browser, mobile, logs, analytics, or public repositories.
- Document the credential rotation process.
Payment flows
- Store all resource IDs returned by create responses.
- Use a unique
Idempotency-Key for every distinct create request.
- Confirm quote expiry handling creates a fresh quote.
- Confirm payin, payout, and transfer records can move from pending to final status.
- Confirm your merchant account has the required operators and corridors enabled.
Webhooks
- Configure production webhook endpoints.
- Verify
X-Bumxpress-Signature before processing events.
- Process duplicate webhook deliveries idempotently.
- Reconcile missed events with
GET endpoints.
- Return
2xx only after accepting an event.
Operations
- Add internal dashboards or logs for customer, quote, payment, transfer, and webhook IDs.
- Define support procedures for pending, failed, and duplicate-looking payments.
- Monitor API error rates and webhook delivery failures.
Last modified on July 8, 2026