Production Checklist - Formify API

Use this checklist to make sure your integration is secure, reliable, and ready for production.

Security

Never expose secrets in client-side code — Keep API credentials, webhook signing secrets, and other secrets on your backend only.
Use HTTPS everywhere — Use HTTPS for API requests, redirect URLs, and webhook endpoints.
Store tokens and sensitive data securely — Protect access tokens, refresh tokens, customer data, and webhook signing secrets at rest.
Restrict access to signed documents — Only authorized users and systems should be able to view or download documents.

Verify webhook signatures — Validate the X-Formify-Signature header using your webhook signing secret and the raw request body.
Use the raw request body for verification — Do not verify against a re-serialized JSON payload.
Check that the timestamp is recent — Validate X-Formify-Timestamp to reduce replay attacks.
Make webhook handling idempotent — Store processed eventId values and safely ignore duplicates.
Do not assume event ordering — Events may arrive late, more than once, or out of order.
Return a 2xx response quickly — Acknowledge the webhook promptly and process longer tasks asynchronously if needed.

Handle expected HTTP errors — At minimum, handle 400, 401, 403, 404, 429, and 5xx responses.
Use retries with backoff where appropriate — Retry temporary failures carefully instead of failing immediately.
Handle rate limiting — If the API rate limits requests, slow down and retry later.
Log safely — Log request outcomes and webhook processing, but never log secrets or sensitive personal data.

Test the full integration end-to-end — Verify the main production flow from API request to completed signing result.
Test webhook signature verification — Confirm that valid webhook signatures are accepted and invalid ones are rejected.
Test failure scenarios — Check behavior for expired tokens, invalid input, network failures, retries, and duplicate webhook deliveries.
Verify production configuration — Confirm that production credentials, webhook endpoints, secrets, URLs, and environment settings are correct.
Monitor critical failures — Set up alerts for repeated API failures or webhook delivery problems.

If you are using a URL-based client_id (see OAuth for AI & Third-Party Clients):

Serve your metadata document over HTTPS and ensure it responds quickly.
Verify client_id matches the hosting URL exactly.
Include a meaningful client_name and logo_uri — these are shown to users during authorization.
Generate a fresh code_verifier for every authorization request and use S256.
Use the state parameter for CSRF protection.
Handle metadata caching — Formify caches your document. Allow time for changes to propagate.

If you registered your client via Dynamic Client Registration:

PKCE (S256) is mandatory for public clients — generate a fresh code_verifier for every authorization request.
Public clients have no client_secret — protect your client_id and never embed it in untrusted environments unnecessarily.
Confidential DCR clients: store client_secret securely — it is only returned once at registration time.
DCR registration is rate limited — plan your registration flow accordingly.

Note: Webhooks can be delivered more than once, so duplicate-safe processing is required.

Use HMAC signature verification for all webhook endpoints in production.

If you need help before launch, contact api@formify.eu.