Skip to main content

Prelaunch checklist

Before going live, consult this checklist as a simple resource to ensure you are ready for a successful launch with CDK.

Prelaunch configuration

  • Product Configuration (in the Compliance Studio)

    • Product details and branding configured
    • Permissions properly mapped to game features in Permissions configuration
    • Data notices configured in Data notices configuration
    • Age gate settings configured
    • Trusted adult preferences configured (if applicable)
    • Target origins properly configured for both test and production

  • API Integration

    • Age gate requirements checked before collecting age
    • Age gate check implemented with all status handlers (PROHIBITED, CHALLENGE, PASS)
    • Challenge creation and display implemented
    • Challenge status tracking implemented (webhooks or polling)
    • Session retrieval implemented
    • Session caching implemented
    • Permission checks implemented for all game features
    • Widget URLs generated correctly for all flows (E2E, age gate, data notices, permissions)
    • Event handlers implemented for all widget types
    • Error handling implemented for all API calls
    • Fallback flows defined for edge cases

  • Account System Integration (if applicable)

    • Product context mapping configured correctly
    • kuid storage implemented in account system
    • Session caching by Product ID implemented
    • Cross-product session retrieval working correctly

Security validation

  • Proper Environment Mapping

    • Test API key calling test endpoints
    • Live API key calling live endpoints
    • API keys stored securely (never in client-side code)

  • Origin Validation

    • Event origin validation implemented for all widget event handlers
    • Target origins configured in the Compliance Studio
    • CSP headers configured if applicable

  • iframe Security

    • Appropriate allow permissions set for all widgets
    • Sandbox attributes reviewed
    • No sensitive data in URL parameters
    • Widget URLs generated server-side only

  • Session Security

    • Sessions cached securely
    • Session ETags used for efficient retrieval
    • Session webhooks configured and secured

Age gate validation

  • Age Gate Flow
    • Age gate requirements checked for all jurisdictions
    • Approved age collection methods used correctly
    • Age thresholds (digital consent age, civil age, minimum age) handled properly
    • Age assurance requirements checked (if applicable)
    • PROHIBITED status blocks access completely
    • CHALLENGE status triggers consent flow
    • PASS status creates/retrieves session correctly

VPC and challenge validation

  • Challenge Handling

    • Challenge IDs stored persistently
    • Challenge retrieval working for pending challenges
    • Challenge display (QR code, OTP, email) implemented
    • Email notification sent to trusted adults (when available)
    • Challenge status tracking implemented (webhooks recommended)
    • Rate limiting implemented for polling (if used)
    • HTTP 429 handling implemented with retry logic
    • approverEmail stored for customer service

  • Consent Flow

    • Consent approval grants access correctly
    • Consent denial restricts access appropriately
    • Session created/updated after consent granted
    • Permissions applied correctly after consent

Session and permissions validation

  • Session Management

    • Sessions cached appropriately
    • ETags used for conditional requests
    • Session refresh on game restart
    • Session webhooks configured (Session.ChangePermissions, Session.Delete)
    • Session upgrade flow working (if applicable)
    • Jurisdiction updates handled correctly

  • Permissions Implementation

    • All permissions mapped to game features
    • enabled field checked for all features
    • managedBy field respected (PLAYER, GUARDIAN, PROHIBITED)
    • Prohibited permissions removed from UI
    • Permission changes reflected in game immediately
    • Permission upgrade flow working (if applicable)

Data notices validation

  • Data Notices Flow
    • Data notices widget integrated (if using custom workflow)
    • Data notice consent tracked in session
    • Data notice events handled correctly
    • Jurisdiction-specific notices displayed

Final validation

  • End-to-End Testing

    • Complete user journeys tested for all age categories
    • Age gate flow tested for all jurisdictions
    • VPC flow tested end-to-end
    • Trusted adult experience validated
    • Session management working correctly
    • Permission updates reflected in game
    • Data notices flow tested (if applicable)
    • Account system integration tested (if applicable)

  • Compliance Verification

    • Legal review completed
    • Compliance Engine up-to-date
    • Privacy policy updated
    • Data handling procedures verified
    • Audit trail capabilities confirmed
    • Jurisdiction requirements verified for all target markets

  • Performance Testing

    • API response times acceptable
    • Session caching working efficiently
    • Webhook delivery reliable
    • Rate limiting handled gracefully
    • Error scenarios handled gracefully

Once all checklist items are completed, you're ready to publish your configuration to the live environment and begin serving real users with the CDK.