11. Security and Best Practices

• API Key and SecretKey should not be used on client-side
• Card information should only be taken via the widget if possible
• Token expiry management should be done automatically
• IP address must be transmitted correctly (critical for fraud checks)

12. Critical Notes

*WidgetToken and AccessToken should not be confused

• Payment cannot be made without InstallmentToken
• Redirect is mandatory in 3D streaming
• Return URL must be handled by the merchant

15. Environment Migration (Test → Live) – Critical Information

After completing your integration development and testing processes in the demo environment, you must take into account that the API information used in the test environment is not valid in the live environment in order to switch to the live environment.

In this context, it is mandatory to contact your customer representative and request your special production (live) API Key and Secret Key information.

With this information provided, environment URLs should be updated and only after this update should operations be started in the live environment.

Test environment API information does not work in the live environment.