Skip to main content

Documentation Index

Fetch the complete documentation index at: https://waffo.com/docs/llms.txt

Use this file to discover all available pages before exploring further.

Before switching from the sandbox to the production environment, make sure you have completed every item in the checklist below.

Integration acceptance

  • Passed the Waffo integration acceptance criteria (functional tests, exception handling, parameter quality checks)
  • Submitted the acceptance results to the Waffo technical integration group and received confirmation

Credentials and configuration

  • If you use a Waffo SDK or AI integration tool, switched the environment configuration from Environment.SANDBOX to Environment.PRODUCTION
  • If you call the API directly, switched to the production API domain and production API Key
  • Configured the production API Key (view on Merchant Portal → Integration, requires Dev/Admin role)
  • Generated a production RSA key pair (do not reuse the sandbox pre-generated keys)
  • Configured the merchant public key on Merchant Portal → Integration by copying the X.509 Base64 content (requires Dev/Admin role)
  • Obtained the production Waffo public key from Portal
  • If needed, configured refundNotifyUrl in Portal for global refund callbacks
  • If needed, configured chargebackNotifyUrl in Portal for dispute/chargeback notifications
Use the following commands to generate a production RSA key pair compatible with Waffo signing tools. The private key is PKCS8 Base64, and the public key is X.509/SPKI Base64: 
openssl genpkey -algorithm RSA \
  -pkeyopt rsa_keygen_bits:2048 \
  -out merchant_private_key.pem

openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt \
  -in merchant_private_key.pem \
  | grep -v '^-----' \
  | tr -d '\n' > merchant_private_key.base64

openssl rsa -in merchant_private_key.pem -pubout \
  | grep -v '^-----' \
  | tr -d '\n' > merchant_public_key.base64
The commands automatically remove the PEM wrappers and output one-line Base64 values. Copy the contents of merchant_public_key.base64 directly into the merchant public key field in Merchant Portal. Store merchant_private_key.base64 in your server-side key management system. Do not commit it to your code repository or send it to Waffo.

Security

  • The RSA private key is not hardcoded in the code; use environment variables or a key management service
  • All API communications use TLS 1.2+
  • Logs do not record full keys or sensitive payment information
  • We recommend deploying production servers overseas or in a region with stable network latency. If you deploy in mainland China, complete a latency assessment to the Waffo API first.
  • We recommend setting the API call timeout to 15 seconds, with a minimum of 8 seconds.
  • We recommend setting DNS TTL to 60 seconds and avoiding long-term pinning of Waffo IPs.
  • We recommend adding logs and alerts for payment creation, payment inquiry, and Webhook handling to support go-live troubleshooting.
  • App WebView allows opening external Apps and external browser pages
  • App WebView supports download, copy, and long-press save behavior (QR, OTC, and bank-transfer style payment methods may require these capabilities)
  • Query parameters are preserved when URLs are passed between the native App and WebView
  • PayPay, Google Pay, Apple Pay, JKOPAY, and other limitations have been checked against Payment method integration notes