Onboarding Overview & Checklist

Before your first API call succeeds — including in staging — a one-time technical onboarding process must be completed. This page is the master checklist for that process. Each step links to a page with the full detail; this page exists so you can see the whole journey at a glance and know where you are in it.

📘

This checklist applies per environment. You'll work through it once for staging and again, separately, for production — separate certificates, separate IP allowlists, separate credentials. Many Tenants complete staging onboarding first, build their integration, and then repeat the process for production ahead of go-live.

The journey at a glance

sequenceDiagram
    participant Tenant
    participant Axys as Axys Platform

    Tenant->>Tenant: 1. Generate RSA key pair + CSR
    Tenant->>Axys: 2. Submit CSR
    Axys->>Tenant: 3. Issue signed client certificate (~24h)
    Tenant->>Axys: 4. Provide calling IP(s) for allowlisting
    Tenant->>Tenant: 5. Configure DNS (A records + PTR records)
    Axys->>Tenant: 6. Confirm IP allowlisted; issue tenant-level API key
    Tenant->>Axys: 7. Create your first Program
    Axys->>Tenant: 8. Issue program-level certificate + API key
    Tenant->>Axys: 9. First staging API call (cert + key + allowlisted IP)
    Axys->>Tenant: 10. 200 OK

The checklist

1–3. Certificate issuance

Generate an RSA-2048 key pair and a certificate signing request (CSR), then submit it to Axys. A signed mTLS client certificate is returned, typically within 24 hours. The CSR's subject fields establish your identity in the platform's hierarchy (O = your Tenant, OU = your Program's trading name(s)).

→ Full detail: mTLS Certificates & CSR

4–6. Network security

Provide the IP address(es) your servers will call the API from, and configure DNS so that:

• the domain(s) in your certificate's CN/SAN resolve (via A records) to your calling IP(s), and
• your calling IP(s) have PTR records resolving back to those domains (forward-confirmed reverse DNS).

Both your IP allowlist entry and DNS configuration are checked on every request, independently of the mTLS handshake itself.

→ Full detail: IP Allowlisting & Network Security

7–8. Program creation and credentials

With your Tenant-level certificate and API key, create your first Program (configuring its currency, transaction limit ceiling, and at least one Card Design — slot 0). Axys issues a separate certificate and API key scoped to that Program.

→ See Program Architecture for the Tenant/Program relationship, and Setup a New Program for the walkthrough.

9–10. First API call

Using your Program-level certificate and API key, make your first call — see Your First API Call.

What you'll need before you start

• The ability to generate an RSA key pair and CSR (OpenSSL or equivalent)
• Control over DNS for the domain(s) you'll use to call the API
• A static, known calling IP address (or a small set of them — e.g. NAT gateway Elastic IPs)
• Your Tenant's legal entity name and the trading/brand name(s) for your Program(s)

What's next

• mTLS Certificates & CSR
• IP Allowlisting & Network Security
• Security Compliance & Data Protection