> ## Documentation Index
> Fetch the complete documentation index at: https://docs.blink.cash/llms.txt
> Use this file to discover all available pages before exploring further.

# Production Checklist

> Verify every item before going live with Blink payments.

Before going live, verify each item:

<Accordion title="Keys and registration" icon="key" defaultOpen>
  <Steps>
    <Step title="Generated an ECDSA P-256 key pair." />

    <Step title="Private key stored in a secrets manager or HSM (not in code, not in env files on disk)." />

    <Step title="Public key registered with Blink; merchantId received and configured." />

    <Step title="Key rotation plan documented." />
  </Steps>
</Accordion>

<Accordion title="Signer endpoint" icon="server" defaultOpen>
  <Steps>
    <Step title="Signer served over HTTPS only." />

    <Step title="Signer authenticates callers (session token, API key, or CORS restriction)." />

    <Step title="Request validation implemented for all fields (amount, chainId, address, token, callbackScheme)." />

    <Step title="Token validation checks for valid contract address format (0x-prefixed hex)." />

    <Step title="Idempotency keys are generated as UUID v4 per request." />

    <Step title="signatureTimestamp included in all signed payloads." />

    <Step title="Rate limiting is in place to prevent abuse." />

    <Step title="Error responses do not leak internal details (stack traces, key paths, etc.)." />

    <Step title="CORS configured to only allow your frontend origin(s)." />
  </Steps>
</Accordion>

<Accordion title="Deposit SDK" icon="code" defaultOpen>
  <Steps>
    <Step title="SDK installed and configured with production signer URL." />

    <Step title="webviewBaseUrl set to the Blink production URL (confirm with Blink)." />

    <Step title="Error handling implemented with DepositError codes and user-friendly messages via getDisplayMessage()." />

    <Step title="deposit.destroy() called on component unmount / page unload." />

    <Step title="Viewport meta tag set correctly for mobile (no unexpected scaling)." />

    <Step title="CSP on your page restricts frame-src to https://pay.blink.cash (see Security & Content Integrity)." />
  </Steps>
</Accordion>

<Accordion title="Content integrity" icon="shield-check" defaultOpen>
  <Steps>
    <Step title="frame-src CSP set so the deposit iframe can only load from Blink." />

    <Step title="Verified the deployed UI against https://pay.blink.cash/manifest.json (optional, for audits)." />

    <Step title="npm audit signatures passes for @swype-org/deposit (registry signature + lockfile integrity)." />
  </Steps>

  See [Security & Content Integrity](/integration/security) for details.
</Accordion>

<Accordion title="Monitoring and reconciliation" icon="chart-line" defaultOpen>
  <Steps>
    <Step title="Signer requests and responses logged (excluding private key material)." />

    <Step title="reference and/or metadata used for correlating payments with internal orders." />

    <Step title="Transfer status verified server-side (do not rely solely on the client-side DepositResult)." />

    <Step title="Alerting configured for signer errors, timeouts, and elevated failure rates." />
  </Steps>
</Accordion>
