Production Checklist

Review keys, limits, domains, tools, and data handling before shipping an agent to customers.

Use this checklist before exposing an agent through an API, website chatbot, or customer workflow.

Credentials

  • Secret API keys are stored server-side only.
  • Browser widgets use publishable embed keys.
  • Development and production keys are separate.
  • Unused keys are revoked.
  • Key labels make ownership clear.

Domains And CORS

  • Public embeds have explicit allowed origins.
  • Localhost origins are not present on production keys.
  • Public endpoints do not use wildcard browser access in production.
  • Domain ownership is verified for high-volume or paid deployments.

Limits And Cost

  • Per-key rate limits are configured.
  • Per-IP and per-session limits are configured.
  • Daily or monthly spend caps are set.
  • File upload size and type limits are documented.
  • High-cost tools or models are intentionally enabled.

Agent Behavior

  • The agent has clear instructions and escalation rules.
  • The agent knows what it should not answer.
  • Knowledge sources are approved for the intended audience.
  • Sample customer questions have been tested.
  • Failure states have friendly user-facing messages.

Tools And Integrations

  • Read-only tools are preferred for public chatbots.
  • Write-capable tools require explicit approval.
  • External credentials are not exposed to users.
  • Tool results do not leak internal IDs, logs, stack traces, or private notes.

Data Handling

  • You know what metadata is sent with each request.
  • Sensitive personal data is avoided unless needed.
  • File retention is clear.
  • Logs are useful for debugging but do not capture unnecessary secrets.
  • Customer-facing docs explain relevant data behavior.

Observability

  • Usage is visible by key, agent, and origin.
  • Error rates are monitored.
  • Rate-limit and budget-limit events are visible.
  • There is a clear revoke/disable path for compromised keys.