Skip to main content

Integration Checklist

Use this checklist to verify your integration is production-ready before going live.

Sandbox

  • Received a sandbox API key from hello@creatorlayer.eu
  • Successfully created a verification against api-sandbox.creatorlayer.eu
  • Sent the consent_url to a test creator (or used a test- reference for synthetic flow)
  • Polled GET /api/v1/verifications/:id and observed all status transitions: pending_consentprocessingcompleted
  • Retrieved the full Risk Tape from GET /api/v1/verifications/:id/tape
  • Parsed and stored the fields your underwriting model needs (see Schema Reference)

Webhooks

  • Registered a webhook endpoint via POST /api/v1/webhooks
  • Endpoint is publicly reachable over HTTPS (no self-signed certificates)
  • Signature verification is implemented and tested (see Webhooks)
  • Endpoint returns 2xx within 10 seconds (offload slow processing to a queue)
  • Tested verification.completed, verification.failed, and verification.expired events using test- references in sandbox

Error handling

  • 429 Too Many Requests: respects Retry-After header before retrying
  • 5xx errors: implements exponential backoff (see Error Reference)
  • verification.failed webhook: triggers a re-verification flow (create new verification, send fresh consent_url)
  • verification.expired webhook: handled — creator is notified or flow is restarted as appropriate
  • Idempotency keys are generated per verification (uuidgen / crypto.randomUUID()) and stored so retries reuse the same key

API key security

  • API key is stored in a secrets manager or environment variable — never hardcoded
  • API key is not logged in plaintext in application logs
  • API key is not exposed to the browser or included in client-side code
  • You have a key rotation procedure (contact hello@creatorlayer.eu to issue a new key and revoke the old one)

Data handling

  • DPA has been reviewed and executed — contact hello@creatorlayer.eu if not yet done
  • Risk Tape data is stored only as long as needed for your credit decision
  • obligor_reference values do not contain PII (use internal IDs, not names or email addresses)
  • A data subject access / erasure workflow is in place — use the GDPR endpoints or contact hello@creatorlayer.eu

Go-live

  • Received a production API key and DPA is executed
  • All api-sandbox.creatorlayer.eu URLs replaced with api.creatorlayer.eu
  • Webhook endpoint updated to point to production URL
  • Tested one real end-to-end flow in production (create → consent → completed)
  • Rate limits reviewed — if you expect >60 req/min, contact us for a production key with higher limits (see Rate Limits)
  • Monitoring and alerting is set up for verification.failed events and 5xx responses

Questions or blockers? Email hello@creatorlayer.eu.