Skip to main content

Provider Test Account Checklist

This checklist defines the account requirements for live post-cloud validation of each V1 provider. Leonardo provisions these accounts after production cloud deployment.

Stripe

RequirementDetailEvidence
Account typeStripe test mode accountacct_... with test credentials
Webhook endpointRegistered with cloud endpoint URLDashboard > Developers > Webhooks
Webhook signing secretwhsec_... for HMAC verificationStore in platform secrets
Event generationAbility to trigger payment_intent.succeeded, charge.* eventsstripe CLI or Dashboard
API key scopeTest mode sk_test_... with webhook readDashboard > Developers > API keys
TeardownDeactivate test webhook endpoint after validationConfirm in Dashboard

GitHub

RequirementDetailEvidence
Account typePersonal account or organization with at least one repositoryGitHub account
Webhook scopeRepository webhook or org webhook with push, dispatch eventsSettings > Webhooks
Webhook secretHMAC secret (arbitrary string, shared with platform)Configured in webhook settings
Event generationAbility to trigger push events (commit to repo) or repository_dispatch API callsgh CLI or git push
Access tokenClassic PAT with admin:repo_hook scopeSettings > Developer settings > Tokens
TeardownRemove test webhook from repository after validationSettings > Webhooks > Delete

Shopify

RequirementDetailEvidence
Account typeShopify development store or partner account*.myshopify.com store URL
Webhook configurationWebhook set up in Settings > Notifications > WebhooksStore admin
Webhook secretHMAC secret for X-Shopify-Hmac-SHA256Configured in webhook settings
Event generationAbility to trigger orders/create via Admin API or store checkoutCreate draft order via API
API accessAdmin API access token with write_orders, read_webhooks scopesApps > Admin API
TeardownDelete test webhook from store, clean up test ordersStore admin

Twilio

RequirementDetailEvidence
Account typeTwilio account with SMS-capable phone numberTrial or production account
Webhook URLPhone number > Messaging > Incoming messages URLTwilio Console
Signature validationAuth Token used for X-Twilio-Signature verificationAccount > Auth Token
Event generationVerified caller ID that can send SMS to the Twilio numberTwilio Console > Verified Caller IDs
Status callbackOptional: StatusCallback URL for delivery statusConfigure in API calls
TeardownRemove webhook URL from phone number configTwilio Console

General Requirements (All Providers)

  • ✅ Each provider account is provisioned at the minimum tier that permits webhook event generation and webhook endpoint configuration.
  • ✅ API keys and secrets are stored in platform secrets management, not in source code or documentation.
  • ✅ Credentials are rotated or deactivated after validation completes.
  • ✅ No live billing or payment processing is triggered during validation (test mode / development store / trial account).
  • ✅ Evidence artifacts do not contain live credentials.

Teardown Procedure

  1. Deactivate each provider webhook endpoint from provider dashboard.
  2. Revoke or rotate API keys/tokens used for validation.
  3. Confirm no further webhook events are being sent to the cloud endpoint.
  4. Delete any test data created (test orders, test repos, test messages).
  5. Update provider validation evidence with teardown confirmation.