Operate
Best Practices
Patterns from running Fidacy on the money path. They keep your integration correct, safe, and fast as you scale from your first payment to production volume.
Act on all three decisions
- ·approve, clear the payment; forward the mandate with its injected
risk_data. - ·review, do not clear. Route to step-up auth or a human. Treat it as "not yet", and remember it is also the safe-fallback for internal faults.
- ·deny, block, and surface a reason from
rejection_reasonsto the user.
review into approve to reduce friction. It is the line between a careful system and an exploitable one.Lean on idempotency
Re-assessing the same mandate returns the original verdict (keyed by content hash), so retries are safe, you will never get two divergent decisions for one mandate. Use your own idempotency_key for request-level tracing.
Handle the async states
- ·
audit.status: "pending"is normal, the hash chain is sealed asynchronously. Theentry_idis already stable; it becomesanchoredshortly after. - ·
refinement.status: "pending"means a reasoning pass is queued for areview-band case. If it changes the verdict, you receive anassessment.refinedwebhook, wire it up if you enable the reasoning layer.
Verify everything you receive
Verify the Risk Payload JWS against the JWKS before trusting a forwarded mandate, and verify the x-fidacy-signature on every webhook. Both use the same public keys, fetch by kid, cache, and check.
Backtest before you activate
Treat policy changes like code: draft, backtest against recent history, review what it would have decided, then activate. Keep the previous version, rollback is just re-activating it.
Scope and rotate keys
- ·A read-only dashboard service gets
assess:read; a checkout service getsassess:write. Don't share one all-powerful key. - ·Rotate on a schedule; revoke instantly on exposure.
Watch the latency budget
Each response carries per-stage timings in x-fidacy-server-timing (and the standard Server-Timing off-platform): kya, policy, risk, sign, persist, total. Track these to spot a slow dependency early.
x-fidacy-server-timing: kya;dur=1, policy;dur=2, risk;dur=1, sign;dur=2, persist;dur=3, total;dur=11
Fail closed
If Fidacy returns an error or times out, treat the payment as reviewon your side, hold, don't clear. The engine is built to never approve under fault; your integration should mirror that.