MavuntaMavunta
Go live

Go live

Live mode moves real money, so access is earned, not instant. You complete the technical steps in sandbox, submit your business for verification (KYB), and once approved you mint a live key. The API surface is identical to sandbox, so nothing in your integration changes except the key prefix.

New here? Build and test the full flow first with the Quickstart and Sandbox and go-live. This page is the production checklist for when that works.

The readiness checklist

The console tracks this for you on the Go live card and computes it from real activity, not self-attestation. You can only submit for review once the technical steps pass:

  • A sandbox payment was created and reached a final state.
  • A webhook endpoint was added and received at least one delivery.
  • A refund was tested in sandbox.
  • Your business profile (KYB) was submitted.
  • Your business was approved (this step is done by Mavunta).

Merchant verification (KYB)

Submit your business details from the console's Go live application. Have these ready so the review is not held up:

  • Registered business name and country of incorporation.
  • Business category and a short description of what you sell.
  • Website or app where payments will be taken.
  • Expected monthly volume and average order value.
  • A contact email and the name of the account owner.

If a submission is not approved, the console shows the reviewer's reason so you can correct the details and resubmit. Approval unlocks live key creation for your account.

Security checklist

Before you create a live key, harden the account that controls real money:

  • Enable 2FA for the account owner. Live key creation is protected and assumes 2FA is on.
  • Use the least-privilege key type. Prefer a restricted key (cwk_live_rk_) scoped to only what the integration needs over a full secret key (cwk_live_sk_). Use a publishable key (cwk_live_pk_) for any client-side, read-only use.
  • Set an IP allowlist on server keys so a leaked key cannot be used from anywhere.
  • Store keys in your secrets manager, never in source control or client bundles.
  • Keep your cwk_whsec_ webhook secret server-side and rotate it if exposed.

Webhook checklist

Sandbox and live are isolated, so a live webhook endpoint is a separate object with its own signing secret. Add it before you take the first live payment:

  • Register a live HTTPS endpoint in the console and subscribe to the events you handle (at minimum payment_intent.paid).
  • Verify the Mavunta-Signatureagainst the live endpoint's secret, and deduplicate on Mavunta-Event-Id.
  • Acknowledge fast with any 2xx, then do slow work asynchronously, so deliveries do not time out and retry.
  • Confirm your endpoint is reachable from the public internet and not behind staging auth.

Full detail and verification code is in Webhooks.

Create your live key

Once approved, create a cwk_live_key in the console's API keys section and swap it into your server's secret store. Confirm the key reports the right environment before sending a real payment:

curl https://api.mavunta.com/v1/auth/verify \
  -H "Authorization: Bearer cwk_live_sk_..."

{
  "livemode": true,
  "environment": "live",
  "scopes": ["payments:read", "payments:write"],
  "ip_allowed": true,
  "status": "active"
}

Launch review

Run one real, low-value payment end to end before you turn it on for customers:

  • Create a live intent, pay it with a real method, and confirm settlement in your wallet.
  • Confirm your live webhook received payment_intent.paid and the order was marked paid exactly once.
  • Test a live refund and confirm you received payment_intent.refunded.
  • Check your reconciliation against the request ids and settlement records.
New merchants start with lower receiving limits that increase as you build a clean payment history. If you expect high volume from day one, mention it in your verification details.
Open the Go live checklist →Full API reference →