Production Checklist

Before going live with GoRoute in production, use this checklist to ensure your integration is robust, secure, and ready for real-world invoicing.

Pre-Launch Checklist

✅ API Configuration

• Production API key obtained - Request production access at app.goroute.ai
• API key stored securely - Use environment variables or a secrets manager
• Base URL updated - Production: https://app.goroute.ai/peppol-api
• Rate limits understood - Know your tier's limits and implement throttling
• Timeout values configured - Set appropriate connection and read timeouts

# Example: Secure configuration
import os

GOROUTE_API_KEY = os.environ['GOROUTE_API_KEY']  # Never hardcode
GOROUTE_BASE_URL = 'https://app.goroute.ai/peppol-api'
REQUEST_TIMEOUT = 30  # seconds

✅ Authentication & Security

• API key rotation plan - Can you rotate keys without downtime?
• TLS 1.2+ enforced - Verify your HTTP client uses modern TLS
• Webhook secrets configured - Validate webhook signatures
• IP allowlisting (optional) - Restrict API access by IP if needed
• Audit logging enabled - Log all API calls for compliance

# Webhook signature validation
import hmac
import hashlib

def verify_webhook(payload: bytes, signature: str, secret: str) -> bool:
    expected = hmac.new(
        secret.encode(),
        payload,
        hashlib.sha256
    ).hexdigest()
    return hmac.compare_digest(f"sha256={expected}", signature)

✅ Participant Registration

• Production Peppol identifiers ready - Real identifiers, not test ones
• SMP registration verified - Confirm via lookup endpoint
• Document types registered - Invoice, Credit Note, others as needed
• Receiver testing complete - Send test invoices to production recipients

# Verify your registration
curl https://app.goroute.ai/peppol-api/participants/lookup?identifier=0088:YOUR_GLN \
  -H "X-API-Key: your-production-key"

✅ Document Validation

• Schematron validation enabled - EN16931 + Peppol BIS 3.0
• Country CIUS validated - XRechnung, Factur-X, etc. as applicable
• Pre-send validation implemented - Validate before sending
• Error handling for validation failures - User-friendly error messages

# Always validate before sending
result = client.documents.validate(invoice_xml)
if not result.valid:
    raise ValidationError(result.errors)
    
# Only send if valid
client.documents.send(invoice_xml)

✅ Error Handling

• Retry logic implemented - Exponential backoff for transient errors
• Error categorization - Distinguish retryable vs permanent errors
• Dead letter queue - Handle permanently failed documents
• Error notifications - Alert on failures (email, Slack, PagerDuty)
• Graceful degradation - System continues if GoRoute is unavailable

RETRYABLE_ERRORS = [429, 500, 502, 503, 504]
PERMANENT_ERRORS = [400, 401, 403, 404]

def handle_error(error):
    if error.status in RETRYABLE_ERRORS:
        raise RetryableError(error)
    elif error.status in PERMANENT_ERRORS:
        notify_support(error)
        move_to_dlq(error)

✅ Webhooks

• Webhook endpoints deployed - Production URLs, HTTPS only
• Signature validation active - Reject unsigned webhooks
• Idempotency handling - Same webhook may arrive multiple times
• Timeout handling - Respond within 30 seconds
• Failure alerting - Monitor webhook delivery failures

# Webhook handler best practices
@app.post("/webhooks/goroute")
async def handle_webhook(request: Request):
    # 1. Validate signature
    if not verify_signature(request):
        return Response(status_code=401)
    
    # 2. Check idempotency
    event_id = request.headers['X-GoRoute-Event-ID']
    if already_processed(event_id):
        return Response(status_code=200)
    
    # 3. Process asynchronously if needed
    queue_webhook_processing(request.body())
    
    # 4. Respond quickly
    return Response(status_code=200)

✅ Monitoring & Observability

• Health checks configured - Monitor API availability
• Metrics collection - Track success rates, latency, volume
• Logging implemented - Structured logs with correlation IDs
• Dashboards created - Visualize key metrics
• Alerting rules defined - Alert on anomalies

# Key metrics to track
- goroute_requests_total{status="success|error"}
- goroute_request_duration_seconds
- goroute_documents_sent_total
- goroute_documents_received_total
- goroute_validation_errors_total
- goroute_webhook_deliveries_total

✅ Data & Compliance

• Data retention policy defined - How long to keep transaction data
• GDPR compliance reviewed - PII handling in documents
• Audit trail maintained - Full history of all transactions
• Backup strategy in place - Can recover from data loss
• Legal review complete - Terms of service accepted

✅ Performance & Scalability

• Load testing complete - Test with expected peak volume
• Connection pooling configured - Reuse HTTP connections
• Async processing for batches - Use job queues for high volume
• Database indexes optimized - Fast transaction lookups
• Horizontal scaling ready - Can add more workers if needed

# Connection pooling example
import httpx

# Reuse client across requests
client = httpx.Client(
    base_url="https://app.goroute.ai/peppol-api",
    timeout=30.0,
    limits=httpx.Limits(max_connections=100)
)

✅ Disaster Recovery

• Failover plan documented - What happens if primary region fails?
• Data backup tested - Can actually restore from backups
• Runbooks created - Step-by-step incident response
• Contact list updated - Know who to call for support
• RTO/RPO defined - Recovery time and point objectives

Go-Live Checklist

Day of Launch

1. Verify production API key works

   curl https://app.goroute.ai/peppol-api/health \
     -H "X-API-Key: your-production-key"

2. Send a test invoice to a known recipient

   • Use a real invoice to a friendly customer
   • Verify delivery confirmation received

3. Confirm webhook delivery

   • Check webhooks are arriving
   • Verify signature validation works

4. Monitor dashboards

   • Watch for errors
   • Track success rates

5. Have rollback plan ready

   • Can revert to previous version
   • Know how to disable integration if needed

First Week

• Monitor error rates daily
• Review all failed transactions
• Check delivery success rates
• Gather customer feedback
• Review webhook processing logs
• Verify all document types working
• Test with multiple recipient countries

Support Contacts

Issue Type	Contact
API Issues	support@goroute.ai
Account/Billing	billing@goroute.ai
Security Incidents	security@goroute.ai
Emergency (Production Down)	+1-XXX-XXX-XXXX

Common Go-Live Issues

"Invalid API Key"

Cause: Using sandbox key in production Solution: Generate a production API key from the dashboard

"Participant Not Found"

Cause: Sender not registered in production SMP Solution: Register your organization in production environment

"Document Validation Failed"

Cause: Test data in production documents Solution: Verify all identifiers, dates, and amounts are real

"Webhook Not Received"

Cause: Firewall blocking GoRoute IPs Solution: Allowlist GoRoute webhook source IPs:

• 52.x.x.x (Contact support for current list)

"Rate Limited"

Cause: Exceeding tier limits Solution: Implement proper rate limiting or upgrade tier

Post-Launch

Week 1-4

• Daily monitoring of success rates
• Weekly review of failed transactions
• Collect and analyze error patterns
• Tune retry policies based on real data
• Update documentation based on learnings

Ongoing

• Monthly security review
• Quarterly disaster recovery test
• API version monitoring (deprecations)
• Performance trend analysis
• Customer satisfaction tracking

Next Steps

• Error Recovery →
• Webhooks Reference →
• Support →