Stripe Go-Live Checklist

Overview

This checklist guides you through switching from Stripe TEST mode to LIVE mode for production payments.

Current Status: 🧪 TEST MODE (Sandbox)
Webhook URL: https://rmm-psa-backend-t9f7k.ondigitalocean.app/api/stripe/webhook

---

Pre-Go-Live Checklist

1. Business Verification ✅

• Stripe account fully verified

• Business information complete

• Bank account connected for payouts

• Tax information submitted (if required)

2. Testing Complete ✅

• End-to-end payment flow tested in TEST mode

• Webhook delivery confirmed (check Stripe dashboard logs)

• Successful payment processed

• Failed payment handled correctly

• Subscription billing tested

• Refund flow tested

• Connected Account onboarding tested (tenant flow)

3. Legal & Compliance ✅

• Terms of Service updated (payment terms)

• Privacy Policy updated (payment data handling)

• Refund policy documented

• PCI compliance reviewed (Stripe handles this, but document your practices)

---

Step-by-Step: Switch to LIVE Mode

Step 1: Get Live API Keys from Stripe

1. Go to Stripe Dashboard
2. Switch from Test mode to Live mode (toggle in top-right)
3. Navigate to Developers → API keys
4. Copy the following keys:
   • Publishable key (starts with pk_live_...)
   • Secret key (starts with sk_live_...) ⚠️ Keep this SECRET!

Step 2: Configure Live Webhooks in Stripe

1. In Stripe Dashboard (LIVE mode), go to Developers → Webhooks
2. Click Add endpoint
3. Enter webhook URL:

   https://rmm-psa-backend-t9f7k.ondigitalocean.app/api/stripe/webhook

4. Select events to listen for:
   • payment_intent.succeeded
   • payment_intent.payment_failed
   • customer.subscription.created
   • customer.subscription.updated
   • customer.subscription.deleted
   • invoice.payment_succeeded
   • invoice.payment_failed
   • account.updated
   • charge.succeeded
   • charge.failed
5. Optional: Create a second endpoint with same URL for thin webhooks (minimal data)
6. Click Add endpoint
7. Copy the Signing secret(s) (starts with whsec_...)

Step 3: Update DigitalOcean Environment Variables

Option A: Via DigitalOcean Dashboard (Recommended)

1. Go to DigitalOcean Apps
2. Select nodejs-rmm-psa-backend
3. Click Settings → backend component
4. Scroll to Environment Variables
5. Update/add these variables:

   STRIPE_LIVE_PUBLISHABLE_KEY=pk_live_YOUR_KEY_HERE
   STRIPE_LIVE_SECRET_KEY=sk_live_YOUR_KEY_HERE (mark as SECRET)
   STRIPE_LIVE_WEBHOOK_SECRET=whsec_YOUR_SECRET_HERE (mark as SECRET)
   STRIPE_LIVE_WEBHOOK_SECRET_THIN=whsec_YOUR_THIN_SECRET_HERE (mark as SECRET - if using thin webhooks)

6. Click Save
7. App will automatically redeploy

Option B: Via app-spec.yaml (For version control)

1. Edit app-spec.yaml in the repository
2. Add new environment variables (after the TEST ones):

   # Stripe Payment Integration (LIVE MODE)
   - key: STRIPE_LIVE_PUBLISHABLE_KEY
     scope: RUN_TIME
     value: pk_live_YOUR_KEY_HERE
   - key: STRIPE_LIVE_SECRET_KEY
     scope: RUN_TIME
     type: SECRET
     value: sk_live_YOUR_KEY_HERE
   - key: STRIPE_LIVE_WEBHOOK_SECRET
     scope: RUN_TIME
     type: SECRET
     value: whsec_YOUR_SECRET_HERE
   - key: STRIPE_LIVE_WEBHOOK_SECRET_THIN
     scope: RUN_TIME
     type: SECRET
     value: whsec_YOUR_THIN_SECRET_HERE

3. Commit and push changes to main branch
4. DigitalOcean will auto-deploy

Step 4: Update Code to Use Live Keys

Backend: services/stripeService.js

Current line (line 68):

const stripe = require('stripe')(process.env.STRIPE_TEST_SECRET_KEY);

Update to:

// Use LIVE key in production, TEST key otherwise
const stripeSecretKey = process.env.NODE_ENV === 'production' 
  ? process.env.STRIPE_LIVE_SECRET_KEY 
  : process.env.STRIPE_TEST_SECRET_KEY;
  
const stripe = require('stripe')(stripeSecretKey);

Backend: routes/stripe-webhook.js

Current line (line 79-80):

const WEBHOOK_SECRET_SNAPSHOT = process.env.STRIPE_WEBHOOK_SECRET;
const WEBHOOK_SECRET_THIN = process.env.STRIPE_WEBHOOK_SECRET_THIN;

Update to:

// Use LIVE secrets in production, TEST secrets otherwise
const WEBHOOK_SECRET_SNAPSHOT = process.env.NODE_ENV === 'production'
  ? process.env.STRIPE_LIVE_WEBHOOK_SECRET
  : process.env.STRIPE_WEBHOOK_SECRET;
  
const WEBHOOK_SECRET_THIN = process.env.NODE_ENV === 'production'
  ? process.env.STRIPE_LIVE_WEBHOOK_SECRET_THIN
  : process.env.STRIPE_WEBHOOK_SECRET_THIN;

Frontend: Dashboard (if using Stripe.js directly)

If your dashboard initializes Stripe on the frontend, update:

// Use LIVE publishable key in production
const stripePublishableKey = import.meta.env.PROD
  ? 'pk_live_YOUR_KEY_HERE'
  : 'pk_test_51TBkCoJOCrsvRkazpzHyfGlh6FExDjuhsWukRciJC0mkAM5AcSAvzOWcmk3YsxuK1JSNEbN4GubBN1bY5tcgpgKO00637PYCo2';
 
const stripe = Stripe(stripePublishableKey);

Step 5: Commit Code Changes

cd /mnt/Steam/IBG_HUB/rmm-psa-backend
git add services/stripeService.js routes/stripe-webhook.js
git commit -m "feat(stripe): Switch to LIVE mode for production
 
- Use NODE_ENV to determine TEST vs LIVE keys
- Support both test and live webhook secrets
- Ready for production payment processing"
git push origin main

Step 6: Deploy & Verify

1. Wait for deployment (check DigitalOcean deploy logs ~2-3 minutes)
2. Test webhook delivery:
   • Go to Stripe Dashboard (LIVE mode) → Webhooks
   • Click on your webhook endpoint
   • Click Send test webhook
   • Verify it appears in your backend logs
3. Test payment flow:
   • Use a real credit card (will actually charge!)
   • OR use Stripe test cards in TEST mode first:
     • Success: 4242 4242 4242 4242
     • Decline: 4000 0000 0000 0002
     • Requires auth: 4000 0025 0000 3155
4. Monitor first transactions:
   • Watch Stripe Dashboard for incoming payments
   • Check webhook delivery (should be 100% success rate)
   • Verify database records created correctly

---

Post-Go-Live

Monitoring

• Set up Stripe email alerts for:
  • Failed payments
  • Dispute notifications
  • Payout failures

• Monitor webhook delivery rate (aim for 100%)

• Review payment failures daily for first week

Documentation

• Update customer-facing documentation with live payment info

• Document refund process for support team

• Create runbook for payment issues

Security

• Rotate webhook secrets every 90 days

• Review Stripe API logs monthly

• Keep test keys separate (never mix test/live keys)

---

Rollback Plan (If Issues Arise)

If you need to revert to TEST mode:

1. Update environment variables back to TEST keys:

   STRIPE_TEST_SECRET_KEY (not LIVE)
   STRIPE_WEBHOOK_SECRET (test version)

2. Redeploy app
3. Switch Stripe Dashboard back to Test mode
4. Communicate with customers (if any live transactions were processed)

---

Support Resources

• Stripe Documentation: https://stripe.com/docs
• Stripe Support: https://support.stripe.com
• Webhook Testing: https://stripe.com/docs/webhooks/test
• Going Live Guide: https://stripe.com/docs/keys#live-and-test-keys

---

Environment Variable Summary

Variable	Test Mode	Live Mode	Location
STRIPE_TEST_SECRET_KEY	✅ Active	⚪ Not used	app-spec.yaml
STRIPE_LIVE_SECRET_KEY	⚪ Not used	✅ Active	app-spec.yaml
STRIPE_WEBHOOK_SECRET	✅ Active	⚪ Not used	app-spec.yaml
STRIPE_LIVE_WEBHOOK_SECRET	⚪ Not used	✅ Active	app-spec.yaml
NODE_ENV	production	production	app-spec.yaml
BACKEND_URL	https://rmm-psa-backend-t9f7k.ondigitalocean.app	Same	app-spec.yaml
FRONTEND_URL	https://rmm-psa-dashboard-5jyun.ondigitalocean.app	Same	app-spec.yaml

Code logic: When NODE_ENV=production, uses STRIPE_LIVE_* keys. Otherwise uses STRIPE_TEST_* keys.

---

Final Checklist Before Going Live

• All test transactions completed successfully

• Live API keys obtained and stored securely

• Live webhooks configured in Stripe dashboard

• Environment variables updated in DigitalOcean

• Code updated to detect production environment

• Deployment successful

• First live transaction tested

• Monitoring/alerts configured

• Team trained on refund process

• Customer support notified

Good luck! 🚀