Going Live Checklist

All flows tested in sandbox

Run every user journey end-to-end in sandbox before switching to live.

Error handling implemented

Handle 4xx and 5xx responses gracefully. Never show raw API errors to end users.

Webhook HMAC verification active

Every incoming webhook is verified with timingSafeEqual before processing.

Webhook handler is idempotent

Processing the same event twice doesn't create duplicate records or charges.

external_ref set on all requests

Correlate D-ME verification IDs with your internal user records via external_ref.

Live API key in environment variable

DME_API_KEY is set as a secret env var — never hardcoded in source code.

API calls made server-side only

No D-ME API calls from client-side JavaScript. The key must never reach the browser.

Webhook secret in environment variable

DME_WEBHOOK_SECRET stored as a secret, not in code or version control.

Webhook URL is HTTPS

D-ME only delivers to HTTPS endpoints. HTTP is rejected.

PII not logged

Ensure ID numbers, DOB, and names from responses are not written to application logs.

Payment method added

A valid payment method is on file in the dashboard before switching to live keys.

Live key activated

Generated a live key (dme_live_) from the dashboard or /onboarding flow.

Usage alerts configured

Set up billing alerts in the dashboard to avoid surprise overages.

Rate limits reviewed for your tier

Your integration respects rate limits and implements exponential backoff on 429.

Retry logic with backoff

Transient 5xx errors are retried with jitter. Don't retry 4xx (except 429).

Error monitoring set up

Sentry, Datadog, or equivalent captures and alerts on D-ME API errors in production.