Skip to main content

Prelaunch checklist

Before going live, consult this checklist as a simple resource to ensure you are ready for a successful launch with CDK.

Prelaunch configuration

  • Product Configuration (in the Compliance Studio)

    • Product details and branding configured
    • Permissions properly mapped to game features in Permissions configuration
    • Data notices configured in Data notices configuration
    • Age gate settings configured
    • Trusted adult preferences configured (if applicable)
    • Target origins properly configured for both test and production

  • API Integration

    • Age gate requirements checked before collecting age
    • Age gate check implemented with all status handlers (PROHIBITED, CHALLENGE, PASS)
    • Challenge creation and display implemented
    • Challenge status tracking implemented (webhooks or polling)
    • Session retrieval implemented
    • Session caching implemented
    • Permission checks implemented for all game features
    • Widget URLs generated correctly for all flows (E2E, age gate, data notices, permissions)
    • Event handlers implemented for all widget types
    • Error handling implemented for all API calls
    • Fallback flows defined for edge cases

  • Account System Integration (if applicable)

    • Product context mapping configured correctly
    • kuid storage implemented in account system
    • Session caching by Product ID implemented
    • Cross-product session retrieval working correctly

Security validation

  • Proper Environment Mapping

    • Test API key calling test endpoints
    • Live API key calling live endpoints
    • API keys stored securely (never in client-side code)

  • Origin Validation

    • Event origin validation implemented for all widget event handlers
    • Target origins configured in the Compliance Studio
    • CSP headers configured if applicable

  • iframe Security

    • Appropriate allow permissions set for all widgets
    • Sandbox attributes reviewed
    • No sensitive data in URL parameters
    • Widget URLs generated server-side only

  • Session Security

    • Sessions cached securely
    • Session ETags used for efficient retrieval
    • Session webhooks configured and secured

Age gate validation

  • Age Gate Flow
    • Age gate requirements checked for all jurisdictions
    • Approved age collection methods used correctly
    • Age thresholds (digital consent age, civil age, minimum age) handled properly
    • Age assurance requirements checked (if applicable)
    • PROHIBITED status blocks access completely
    • CHALLENGE status triggers consent flow
    • PASS status creates/retrieves session correctly

VPC and challenge validation

Know your rate limits before launch

Live mode rate limits are significantly higher than test mode. Confirm your service can stay within the default rate limits for both API requests and age verification / parental consent flows, or contact your k-ID representative if you need an increase.

  • Challenge Handling

    • Challenge IDs stored persistently
    • Challenge retrieval working for pending challenges
    • Challenge display (QR code, OTP, email) implemented
    • Email notification sent to trusted adults (when available)
    • Challenge status tracking implemented (webhooks recommended)
    • Rate limiting implemented for polling (if used). See Rate limits
    • HTTP 429 handling implemented with retry logic. See Rate limits
    • approverEmail stored for customer service

  • Consent Flow

    • Consent approval grants access correctly
    • Consent denial restricts access appropriately
    • Session created/updated after consent granted
    • Permissions applied correctly after consent

Session and permissions validation

  • Session Management

    • Sessions cached appropriately
    • ETags used for conditional requests
    • Session refresh on game restart
    • Session webhooks configured (Session.ChangePermissions, Session.Delete)
    • Session upgrade flow working (if applicable)
    • Jurisdiction updates handled correctly

  • Permissions Implementation

    • All permissions mapped to game features
    • enabled field checked for all features
    • managedBy field respected (PLAYER, GUARDIAN, PROHIBITED)
    • Prohibited permissions removed from UI
    • Permission changes reflected in game immediately
    • Permission upgrade flow working (if applicable)

Data notices validation

  • Data Notices Flow
    • Data notices widget integrated (if using custom workflow)
    • Data notice consent tracked in session
    • Data notice events handled correctly
    • Jurisdiction-specific notices displayed

Final validation

  • End-to-End Testing

    • Complete user journeys tested for all age categories
    • Age gate flow tested for all jurisdictions
    • VPC flow tested end-to-end
    • Trusted adult experience validated
    • Session management working correctly
    • Permission updates reflected in game
    • Data notices flow tested (if applicable)
    • Account system integration tested (if applicable)

  • Compliance Verification

    • Legal review completed
    • Compliance Engine up-to-date
    • Privacy policy updated
    • Data handling procedures verified
    • Audit trail capabilities confirmed
    • Jurisdiction requirements verified for all target markets

  • Performance Testing

    • API response times acceptable
    • Session caching working efficiently
    • Webhook delivery reliable
    • Rate limiting handled gracefully
    • Error scenarios handled gracefully

Once all checklist items are completed, you're ready to publish your configuration to the live environment and begin serving real users with the CDK.