Go Live Checklist

Overview

Go live only after your sandbox flow has proven intent creation, checkout, SMS event ingestion, reconciliation, webhook handling, expiry behavior, and dashboard operations.

Step-by-step guide

Complete sandbox successful payment test.
Complete sandbox wrong amount, wrong receiver, duplicate transaction ID, and expired payment tests.
Verify sandbox webhook endpoint and idempotent fulfillment.
Configure the live receiving wallet number.
Create a live API key.
Register and verify a live webhook endpoint.
Install and validate the Android SMS Agent with the live key.
Confirm the live device forwards SMS for the same wallet number shown on checkout.
Switch your backend base URL and API key to live.
Run a small live payment before accepting production traffic.

Code example

Use separate configuration for sandbox and live:

const config = {
  sandbox: {
    baseUrl: "https://api.smspaybd.com",
    apiKey: process.env.SMS_PAY_SANDBOX_KEY!,
  },
  live: {
    baseUrl: "https://api.smspaybd.com",
    apiKey: process.env.SMS_PAY_LIVE_KEY!,
  },
};

const gateway = process.env.SMS_PAY_ENV === "live" ? config.live : config.sandbox;

Request and response samples

Create a live intent only after live readiness:

POST /v1/payments/intents
X-Api-Key: sk_live_xxxxxxxxxxxxxxxxx
Content-Type: application/json

{
  "amount": 100,
  "currency": "BDT",
  "customerReference": "LIVE-SMOKE-TEST-001",
  "receiverMsisdn": "01700000001",
  "idempotencyKey": "LIVE-SMOKE-TEST-001",
  "ttlSeconds": 300
}

Expected response:

{
  "id": "live_pi_123",
  "environment": "LIVE",
  "status": "PENDING",
  "amount": "100",
  "currency": "BDT",
  "customerReference": "LIVE-SMOKE-TEST-001",
  "receiverMsisdn": "01700000001",
  "checkoutUrl": "https://smspaybd.com/checkout/live_pi_123",
  "expiresAt": "2026-05-05T10:05:00.000Z"
}

Launch checklist

Live API key is stored only on your backend and Android SMS Agent.
Live webhook endpoint is verified.
Webhook handler verifies X-Webhook-Signature.
Webhook handler is idempotent.
Android SMS Agent is running on the correct phone.
Phone can receive bKash or supported wallet SMS messages.
Receiver wallet number in dashboard matches checkout.
Checkout fulfillment waits for PAID.
Expired payments are not fulfilled.
Dashboard users can monitor payment intents, SMS events, devices, and webhooks.

Edge cases and constraints

Do not switch only the API key or only the base URL; switch both together.
Do not use sandbox simulator to test live orders.
If the Android device loses connectivity, payments may remain pending until SMS events arrive.
If the customer pays after expiry, do not auto-fulfill; handle via reconciliation or refund policy.
Keep a manual operations process for REVIEW_REQUIRED.

Step-by-step guide

Complete sandbox successful payment test.

Complete sandbox wrong amount, wrong receiver, duplicate transaction ID, and expired payment tests.

Verify sandbox webhook endpoint and idempotent fulfillment.

Configure the live receiving wallet number.

Create a live API key.

Install and validate the Android SMS Agent with the live key.

Confirm the live device forwards SMS for the same wallet number shown on checkout.

Switch your backend base URL and API key to live.

Run a small live payment before accepting production traffic.

Code example

Use separate configuration for sandbox and live:

const config = {
  sandbox: {
    baseUrl: "https://api.smspaybd.com",
    apiKey: process.env.SMS_PAY_SANDBOX_KEY!,
  },
  live: {
    baseUrl: "https://api.smspaybd.com",
    apiKey: process.env.SMS_PAY_LIVE_KEY!,
  },
};

const gateway = process.env.SMS_PAY_ENV === "live" ? config.live : config.sandbox;

Request and response samples

Create a live intent only after live readiness:

POST /v1/payments/intents
X-Api-Key: sk_live_xxxxxxxxxxxxxxxxx
Content-Type: application/json

{
  "amount": 100,
  "currency": "BDT",
  "customerReference": "LIVE-SMOKE-TEST-001",
  "receiverMsisdn": "01700000001",
  "idempotencyKey": "LIVE-SMOKE-TEST-001",
  "ttlSeconds": 300
}

Expected response:

{
  "id": "live_pi_123",
  "environment": "LIVE",
  "status": "PENDING",
  "amount": "100",
  "currency": "BDT",
  "customerReference": "LIVE-SMOKE-TEST-001",
  "receiverMsisdn": "01700000001",
  "checkoutUrl": "https://smspaybd.com/checkout/live_pi_123",
  "expiresAt": "2026-05-05T10:05:00.000Z"
}

Launch checklist

Live API key is stored only on your backend and Android SMS Agent.

Live webhook endpoint is verified.

Webhook handler verifies X-Webhook-Signature.

Webhook handler is idempotent.

Android SMS Agent is running on the correct phone.

Phone can receive bKash or supported wallet SMS messages.

Receiver wallet number in dashboard matches checkout.

Checkout fulfillment waits for PAID.

Expired payments are not fulfilled.

Dashboard users can monitor payment intents, SMS events, devices, and webhooks.

Edge cases and constraints

Do not switch only the API key or only the base URL; switch both together.

Do not use sandbox simulator to test live orders.

If the Android device loses connectivity, payments may remain pending until SMS events arrive.

If the customer pays after expiry, do not auto-fulfill; handle via reconciliation or refund policy.

Keep a manual operations process for REVIEW_REQUIRED.