Skip to main content
You’ve built the full flow in sandbox. This page takes you to production.

Readiness checklist

Confirm each item before requesting production access.
1

Full lifecycle tested in sandbox

Your integration handles investor creation, KYC, bank linking, funding, order placement and fills, withdrawals, and error paths end to end.
2

Idempotency keys implemented

Every deposit and withdrawal request sends an Idempotency-Key header so retries never double-move money.
3

Error handling is robust

You handle 401 auth failures (rotate/refresh credentials), 429 rate limits (exponential backoff with jitter), 400 validation errors (surface or log), 5xx server errors (retry with backoff), and network timeouts (retry with the same idempotency key). See the API reference for the error model.
4

Webhook endpoints secured

If you use webhooks: HTTPS only, verify signatures before processing, respond 2xx within seconds, and handle duplicate deliveries idempotently. See Webhooks.
5

Credentials stored securely

API keys and secrets live in a secret manager — not in code or config files — and you have a rotation process ready.
6

Compliance requirements confirmed

Your KYC document collection, required disclosures and agreements, and record-keeping meet your regulatory obligations.

Request production access

Email support@bluumfinance.com with:
  • Your company name and dashboard account email.
  • A description of your product and integration model.
  • Confirmation that you’ve completed the checklist above.
Bluum reviews your sandbox integration and compliance setup, then issues production API credentials.
support@bluumfinance.com is the single support channel for credentials, access, compliance, and technical questions.

Cut over to production

1

Switch the base URL and credentials

export BLUUM_BASE_URL="https://api.bluumfinance.com/v1"
export BLUUM_API_KEY="your_production_key"
export BLUUM_API_SECRET="your_production_secret"
2

Smoke test

Confirm connectivity with a read-only request:
curl -X GET "$BLUUM_BASE_URL/assets?class=equity&country=us&tradable=true" \
  -H "Authorization: Basic $(echo -n "$BLUUM_API_KEY:$BLUUM_API_SECRET" | base64)"
Expect 200. A 401 means the key or secret wasn’t updated.
3

Watch the first real operations

Monitor the first production investor, KYC flow, deposit, order, and webhook delivery closely. Log the X-Request-Id response header on every call and include it in any support request.

Credential rotation

Rotate keys on a schedule (every 90 days is a reasonable default):
  1. Generate a new key pair in the dashboard.
  2. Deploy the new credentials to production.
  3. Verify connectivity with the new pair.
  4. Revoke the old pair.
Overlap old and new keys during rotation — deploy and verify the new pair before revoking the old one. Never revoke first.

Observability

Log every request and response with the HTTP method and path, the response status, the X-Request-Id header, and the response time. Alert on elevated 5xx rates, 429 rate-limit hits, orders stuck in a non-terminal status longer than expected, and webhook delivery failures.