Skip to main content
Before switching from the sandbox to the production environment, make sure you have completed every item in the checklist below.

Integration acceptance

  • Passed the Waffo integration acceptance criteria (functional tests, exception handling, parameter quality checks)
  • Submitted the acceptance results to the Waffo technical integration group and received confirmation

Credentials and configuration

  • If you use a Waffo SDK or AI integration tool, switched the environment configuration from Environment.SANDBOX to Environment.PRODUCTION
  • If you call the API directly, switched to the production API domain and production API Key
  • Configured the production API Key (view on Merchant Portal → Integration, requires Dev/Admin role)
  • Generated a production RSA key pair (do not reuse the sandbox pre-generated keys)
  • Configured the merchant public key on Merchant Portal → Integration by copying the X.509 Base64 content (requires Dev/Admin role)
  • Obtained the production Waffo public key from Portal
  • If needed, configured refundNotifyUrl in Portal for global refund callbacks
  • If needed, configured chargebackNotifyUrl in Portal for dispute/chargeback notifications
Use the following commands to generate a production RSA key pair compatible with Waffo signing tools. The private key is PKCS8 Base64, and the public key is X.509/SPKI Base64: 
openssl genpkey -algorithm RSA \
  -pkeyopt rsa_keygen_bits:2048 \
  -out merchant_private_key.pem

openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt \
  -in merchant_private_key.pem \
  | grep -v '^-----' \
  | tr -d '\n' > merchant_private_key.base64

openssl rsa -in merchant_private_key.pem -pubout \
  | grep -v '^-----' \
  | tr -d '\n' > merchant_public_key.base64
The commands automatically remove the PEM wrappers and output one-line Base64 values. Copy the contents of merchant_public_key.base64 directly into the merchant public key field in Merchant Portal. Store merchant_private_key.base64 in your server-side key management system. Do not commit it to your code repository or send it to Waffo.

Security

  • The RSA private key is not hardcoded in the code; use environment variables or a key management service
  • All API communications use TLS 1.2+
  • Logs do not record full keys or sensitive payment information
  • We recommend deploying production servers overseas or in a region with stable network latency. If you deploy in mainland China, complete a latency assessment to the Waffo API first.
  • We recommend setting the API call timeout to 15 seconds, with a minimum of 8 seconds.
  • We recommend setting DNS TTL to 60 seconds and avoiding long-term pinning of Waffo IPs.
  • We recommend adding logs and alerts for payment creation, payment inquiry, and Webhook handling to support go-live troubleshooting.
  • App WebView allows opening external Apps and external browser pages
  • App WebView supports download, copy, and long-press save behavior (QR, OTC, and bank-transfer style payment methods may require these capabilities)
  • Query parameters are preserved when URLs are passed between the native App and WebView
  • PayPay, Google Pay, Apple Pay, JKOPAY, and other limitations have been checked against Payment method integration notes