Malaysia Payment Gateway logoMPG
← Learn

Production checklist

Run through this before flipping a gateway to live. Skipping any line is how payments get faked or money goes missing.

Credentials & config

  • Live (production) keys set in the server environment, never in the repo or client.
  • Sandbox and live keys kept separate; no test key in production.
  • All secrets in environment variables / a secret manager (gitignored .env).

Webhooks

  • Webhook/callback URL registered in BOTH sandbox and live dashboards.
  • Signature/checksum verification enforced on every callback.
  • Endpoint is replay-safe: duplicate events settle the order only once.

Payment integrity

  • Paid access is granted only after a verified webhook + re-fetched provider state, never from a redirect alone.
  • Amount, currency, reference and status matched against your pending record before fulfilling.
  • A sandbox payment completes end-to-end and unlocks correctly.

Data & operations

  • Database migrations applied (orders/payments tables, indexes on the gateway reference).
  • Failed and pending payments are handled and visible, not just successes.
  • Refund / reconciliation path understood for the chosen gateway.

New to any of these terms? See the glossary, or let an AI agent handle the wiring.