> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bluumfinance.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Go Live

> Production readiness checklist and sandbox-to-production cutover.

You've built the full flow in sandbox. This page takes you to production.

## Readiness checklist

Confirm each item before requesting production access.

<Steps>
  <Step title="Full lifecycle tested in sandbox">
    Your integration handles investor creation, KYC, bank linking, funding, order placement and fills, withdrawals, and error paths end to end.
  </Step>

  <Step title="Idempotency keys implemented">
    Every deposit and withdrawal request sends an `Idempotency-Key` header so retries never double-move money.
  </Step>

  <Step title="Error handling is robust">
    You handle `401` auth failures (rotate/refresh credentials), `429` rate limits (exponential backoff with jitter), `400` validation errors (surface or log), `5xx` server errors (retry with backoff), and network timeouts (retry with the same idempotency key). See the [API reference](/api-reference) for the error model.
  </Step>

  <Step title="Webhook endpoints secured">
    If you use webhooks: HTTPS only, verify signatures before processing, respond `2xx` within seconds, and handle duplicate deliveries idempotently. See [Webhooks](/get-started/journey/webhooks).
  </Step>

  <Step title="Credentials stored securely">
    API keys and secrets live in a secret manager — not in code or config files — and you have a rotation process ready.
  </Step>

  <Step title="Compliance requirements confirmed">
    Your KYC document collection, required disclosures and agreements, and record-keeping meet your regulatory obligations.
  </Step>
</Steps>

## Request production access

Email **[support@bluumfinance.com](mailto:support@bluumfinance.com)** with:

* Your company name and dashboard account email.
* A description of your product and integration model.
* Confirmation that you've completed the checklist above.

Bluum reviews your sandbox integration and compliance setup, then issues production API credentials.

<Note>
  `support@bluumfinance.com` is the single support channel for credentials, access, compliance, and technical questions.
</Note>

## Cut over to production

<Steps>
  <Step title="Switch the base URL and credentials">
    ```bash theme={null}
    export BLUUM_BASE_URL="https://api.bluumfinance.com/v1"
    export BLUUM_API_KEY="your_production_key"
    export BLUUM_API_SECRET="your_production_secret"
    ```
  </Step>

  <Step title="Smoke test">
    Confirm connectivity with a read-only request:

    ```bash theme={null}
    curl -X GET "$BLUUM_BASE_URL/assets?class=equity&country=us&tradable=true" \
      -H "Authorization: Basic $(echo -n "$BLUUM_API_KEY:$BLUUM_API_SECRET" | base64)"
    ```

    Expect `200`. A `401` means the key or secret wasn't updated.
  </Step>

  <Step title="Watch the first real operations">
    Monitor the first production investor, KYC flow, deposit, order, and webhook delivery closely. Log the `X-Request-Id` response header on every call and include it in any support request.
  </Step>
</Steps>

## Credential rotation

Rotate keys on a schedule (every 90 days is a reasonable default):

1. Generate a new key pair in the dashboard.
2. Deploy the new credentials to production.
3. Verify connectivity with the new pair.
4. Revoke the old pair.

<Tip>
  Overlap old and new keys during rotation — deploy and verify the new pair before revoking the old one. Never revoke first.
</Tip>

## Observability

Log every request and response with the HTTP method and path, the response status, the `X-Request-Id` header, and the response time. Alert on elevated `5xx` rates, `429` rate-limit hits, orders stuck in a non-terminal status longer than expected, and webhook delivery failures.
