Before going live, verify the following:Use the SDK unless you have a clear reason to integrate directly with the raw API.
Store secret API keys only in trusted server-side environments.
Never expose sk_live_* or sk_test_* keys in browser or mobile code.
Store ephemeral account secrets securely until ramps complete and recovery is no longer needed.
If using the SDK's default storeEphemeralKeys: true, run the SDK from a directory with restricted filesystem permissions, or set storeEphemeralKeys: false and implement encrypted local storage.
Persist quoteId, rampId, user/session ID, partner order ID, and webhook IDs.
Handle quote expiry by creating fresh quotes.
Use webhooks for transaction lifecycle events and verify every webhook signature against GET /v1/public-key (RSA-PSS / SHA-256).
Poll GET /v1/ramp/{id} for user-facing status screens and GET /v1/ramp/{id}/errors for support tooling.
Test failed, delayed, and retried ramp states in sandbox.
Define a support process for users who close the app before a ramp finishes.
Rotate partner keys if they are exposed or no longer needed.
For BRL flows: confirm your user onboarding path produces a Supabase-authenticated user before invoking the ramp.
Modified at 2026-05-16 09:40:50
