Going to Production
Everything you need to switch from sandbox to production
This guide covers everything required to move from sandbox testing to live production payments.
#Environment URLs
| Environment | Base URL | Purpose |
|---|---|---|
| Sandbox | https://sandbox.api.exirom.com/api | Testing and development |
| Production | https://api.exirom.com/api | Live payments |
Both environments use identical API contracts. All endpoints, request/response schemas, and webhook formats are the same.
TLS requirement: All API communication must use TLS 1.2 or higher. Connections using older TLS versions are rejected.
#Rate Limits
Production API traffic is limited to 40 requests per minute per IP address.
If your server IPs are whitelisted, this rate limit does not apply. Contact your assigned account manager to whitelist your production IP addresses before going live.
#Credentials
#Obtaining Production Credentials
- Contact the Exirom operations team to request production credentials
- You'll receive a Merchant Key and Merchant Secret for production
- These are different from your sandbox credentials — sandbox tokens do not work in production
#Credential Management
- Store credentials in environment variables or a secrets manager (AWS Secrets Manager, HashiCorp Vault, etc.)
- Never hardcode credentials in source code or commit them to version control
- Use separate credentials per environment (sandbox, staging, production)
- Rotate credentials immediately if they are exposed
#Token Caching
Tokens are valid for 30 days. Cache and reuse tokens — do not authenticate per request. Refresh proactively at day 29 rather than waiting for a 401.
If a 401 Unauthorized is received, discard the cached token, re-authenticate, and retry the original request once.
→ See Authentication Flow for the full token lifecycle and error reference.
#Webhook Configuration
#Endpoint Requirements
Your webhook endpoint must:
- Accept POST requests with JSON body
- Respond with 200 OK within 10 seconds
- Be publicly accessible (no localhost, no VPN-only)
- Support HTTPS (TLS 1.2+)
#Verify Signatures
Always verify the X-Checksum header in production. See the Webhook Best Practices guide.
#Test Your Endpoint
Before going live, verify your webhook endpoint handles:
- Successful payment callbacks
- Failed payment callbacks
- Duplicate deliveries (same callback twice)
- Out-of-order callbacks
- APM callbacks with
apmTypeparameter - Invalid/missing
X-Checksum(should reject)
Use tools like ngrok or webhook.site during development to inspect callback payloads.
#Monitoring & Alerting
#Key Metrics to Track
| Metric | Alert Threshold | Why |
|---|---|---|
| Payment success rate | < 90% over 15 min | Indicates PSP issue or config problem |
| Avg response time | > 5 seconds | Network or processing degradation |
| Webhook delivery failures | > 5% in 1 hour | Your endpoint may be down |
| 401 Unauthorized rate | Any spike | Token expired or credentials rotated |
| Decline code 29 (Merchant Not Active) | Any occurrence | Account deactivated — contact support immediately |
#What to Log
For every API call, log:
requestId— your unique identifier for correlationtransactionId— Exirom's identifier (from response)traceId— included in error responses for Exirom support- HTTP status code
transactionStatusanddeclineCode- Timestamp
When contacting Exirom support, always include the
transactionIdandtraceId. This dramatically speeds up investigation.
#PCI DSS Compliance (Card API Only)
If you use the Card API (direct card data collection), you are in PCI DSS scope:
| Integration | PCI Requirement |
|---|---|
| Card API (S2S) | PCI DSS Level 1 (SAQ-D) |
| Hosted Payment Page | PCI DSS Level 4 (SAQ-A) — minimal scope |
| Tokenized payments | Depends on how tokens were originally obtained |
If using Card API:
- You must complete SAQ-D self-assessment or Level 1 audit
- Card data must be transmitted over TLS 1.2+ only
- Never log full card numbers — use masked format (
4111********1111) - Never store CVV after authorization
If PCI scope is a concern, consider using the Hosted Payment Page instead — it handles card data on Exirom's PCI-certified infrastructure.
#Pre-Launch Checklist
#Configuration
- Production credentials obtained and stored securely
- API base URL points to
https://api.exirom.com/api(not sandbox) - Webhook endpoint is HTTPS and publicly accessible
- Webhook signature verification is enabled
- Correct
mid/accountIdfor production - Production IP whitelist confirmed with your assigned account manager, if needed
#Code Quality
- Idempotency implemented (unique
requestIdper transaction, reused on retry) - Webhook deduplication in place
- Error handling covers all decline codes
- Token caching with proactive refresh
- 401 retry logic implemented
- Polling fallback for missed webhooks
#Testing
- Full payment flow tested in sandbox (initiate → 3DS → webhook → fulfill)
- Refund flow tested
- Payout flow tested (if applicable)
- Webhook failure/retry tested
- All supported currencies tested
#Operations
- Monitoring dashboards set up
- Alerting configured for key metrics
- On-call process defined for payment failures
- Exirom support contact saved (for escalation)
- Settlement process confirmed with Exirom operations team
#Sandbox vs Production Differences
| Aspect | Sandbox | Production |
|---|---|---|
| Card numbers | Test cards only (4111...) | Real cards |
| Money movement | No real charges | Real money |
| PSP responses | Simulated | Real PSP processing |
| Webhook timing | Near-instant | Depends on PSP (1s–30s typical) |
| 3DS challenges | Simulated challenge pages | Real bank 3DS pages |
| Credentials | Sandbox key/secret | Production key/secret |
Important: Sandbox tokens, transaction IDs, and card tokens are not valid in production. Do not attempt to use sandbox data in the production environment.
#API Health & Support
If you suspect an outage or degraded performance, contact the Exirom support team. Include:
- Affected
transactionId(s) andtraceId(s) from error responses - Time range and approximate volume of affected transactions
- Your
mid
Contact: support@exirom.com — or your assigned account manager
For active production failures, mark your ticket as P1/Critical for expedited response.
| Alert | Threshold | Action |
|---|---|---|
| Payment success rate | < 90% over 15 min | Check PSP status, contact support |
| Webhook failures | > 5% in 1 hour | Verify endpoint health |
| Decline code 29 | Any occurrence | Contact support — account may be deactivated |
401 spike | Sudden increase | Token expired or credentials rotated |
#See Also
- Integration Checklist — track your progress from setup to go-live
- Common Integration Mistakes — avoid frequent pitfalls
- Webhook Best Practices — production-grade callback handling