Integration checklist

• Store apiKeyId + secret in server-side secret storage; never in client code.
• Generate a unique orderId per award and persist it with your record.
• Serialize the body once, sign that exact string, send those exact bytes.
• Send X-Timestamp in milliseconds; keep your clock NTP-synced.
• Send only amount ≥ 1000 (raw). Remember EP = floor(amount / 1000).
• Treat 202 and 200 DUPLICATE as success; never re-award on DUPLICATE.
• Branch on the string code, not the message.
• Retry only 503 / network errors, with backoff, reusing the same orderId.
• Test end-to-end against the sandbox base URL before going live.

Note

When sandbox testing passes, confirm your cap requirements and production base URL with your Eventista technical contact, then switch BASE_URL and credentials to production.