Production Deployment Guide

Production Deployment Guide

Based on OpenAI’s official production guide, this document provides a complete checklist and best practices for ACP protocol production environment deployment.

Important Notice: Building with ACP protocol is open to everyone. Instant Checkout in ChatGPT is currently available to approved partners only. To apply for participation in Instant Checkout, please fill out this form.

🧪 Testing and Launch Certification

Before going live, complete and document the following tests in a sandbox environment. Each item should be demonstrated end-to-end with request/response logs.

Session Creation and Address Handling

  • Create checkout sessions with and without shipping addresses
    • Verify that shipping options and tax totals are returned once a valid address is provided
    • Confirm API-Version header is present and matches supported version

Shipping Option Updates

  • Update selected shipping options
    • Ensure order totals are correctly recalculated when options change

Payment Tokenization

  • Create delegated payment tokens
    • Send POST /agentic_commerce/delegate_payment request with valid payment_method object, allowance, billing_address, risk_signals, and metadata
    • Include all required headers
    • Verify canonical JSON serialization and correct detached signature generation

Order Completion

  • Complete orders using tokenized payments
    • Confirm response contains final order object in completed status
    • Validate returned fields and ensure HTTP 201 Created status

Error Scenarios

  • Demonstrate recoverable error handling
    • Trigger and log each error condition with appropriate HTTP status:
      • missing (e.g., required field omitted → invalid_request / 400)
      • out_of_stock (simulate inventory failure)
      • payment_declined (simulate issuer decline)

Idempotency Verification

  • Verify idempotency safety
    • Repeat create and complete calls using the same Idempotency-Key
    • Confirm safe duplicate requests return the same result
    • Parameter mismatches return idempotency_conflict with HTTP 409

IP Allowlisting

  • Allowlist OpenAI’s IP addresses

🔒 Security and Compliance

TLS and HTTPS

All traffic to you must use TLS 1.2 or later on port 443 with a valid public certificate.

PCI Scope

The Product Feed Spec and Agentic Checkout Spec are deliberately kept out of PCI scope and do not transmit cardholder data.

PCI Compliance Requirements: Directly integrating with the Delegated Payment Spec involves directly handling cardholder data (CHD) and may affect your PCI scope. Check with your PSP and consult with your Qualified Security Assessor (QSA) or other PCI compliance advisor to determine the impact on your specific PCI DSS obligations. OpenAI may require your attestation of compliance (AOC) before enabling production access.

❓ Frequently Asked Questions

Who is the merchant of record in an agentic checkout flow?

The merchant actually selling goods and taking payment directly from the customer is the merchant of record. OpenAI and other trusted payment service providers are not the merchant of record. Customers will see the merchant’s name on their credit card statement, as if they bought directly from the merchant website.

Who manages chargebacks and refunds?

The merchant does. Your platform is responsible for handling refunds and chargebacks, as you accepted the payment directly from the customer as the merchant of record.

Use the ORDER_UPDATE webhook to notify ChatGPT (or any integrated partner) when a refund or chargeback status changes so order state stays synchronized.

Do we need to support multiple shipments?

Today, the protocol models a single shipping address and one selected shipping option per checkout session. In the future, the protocol may support multiple shipments.

If your system supports split shipments, consolidate them into a single buyer-visible selection and return aggregate totals for shipping and tax.

🚀 Deployment Checklist

Infrastructure Preparation

  • HTTPS Configuration: Ensure all API endpoints use TLS 1.2+
  • Domain Verification: Configure valid SSL certificates
  • Load Balancing: Set up high-availability load balancers
  • Monitoring & Alerts: Configure API response time and error rate monitoring
  • Logging System: Implement structured logging (note PCI compliance)

API Implementation Verification

  • Version Control: Implement API-Version: 2025-09-29 support
  • Authentication: Configure Bearer token verification
  • Request Signing: Implement request signature verification (recommended)
  • Idempotency: Implement Idempotency-Key handling
  • Error Handling: Standardize error response format
  • Rate Limiting: Configure reasonable API rate limits

Data Processing Compliance

  • PCI Compliance: Ensure payment data processing complies with PCI DSS
  • Data Encryption: Implement data encryption at rest and in transit
  • Log Redaction: Ensure logs don’t contain sensitive payment information
  • Access Control: Implement least privilege access principles
  • Audit Trail: Establish complete operational audit logs

Business Process Configuration

  • Product Data: Configure product feed update mechanisms
  • Inventory Sync: Implement real-time inventory status synchronization
  • Price Management: Configure dynamic pricing and promotion support
  • Tax Calculation: Integrate tax calculation services
  • Shipping Options: Configure multiple shipping methods and costs

Webhook Integration

  • Endpoint Configuration: Set up webhook receiving endpoints
  • Signature Verification: Implement HMAC signature verification
  • Retry Mechanism: Configure failure retry logic
  • Event Handling: Implement all order lifecycle event handling
  • State Synchronization: Ensure order state sync with ChatGPT

📊 Key Metrics Monitoring

API Performance Metrics

// Key performance indicators
const metrics = {
  // Response time metrics
  api_response_time_p95: '< 2000ms',
  api_response_time_p99: '< 5000ms',
  
  // Success rate metrics  
  checkout_success_rate: '> 99%',
  payment_success_rate: '> 98%',
  
  // Error rate metrics
  api_error_rate: '< 1%',
  payment_decline_rate: '< 5%',
  
  // Business metrics
  conversion_rate: 'baseline + 10%',
  average_order_value: 'track trends'
};

Alert Configuration

# Monitoring alert configuration example
alerts:
  - name: "High API Response Time"
    condition: "api_response_time_p95 > 3000ms"
    duration: "5m"
    severity: "warning"
    
  - name: "Low Payment Success Rate"
    condition: "payment_success_rate < 95%"
    duration: "2m" 
    severity: "critical"
    
  - name: "High API Error Rate"
    condition: "api_error_rate > 2%"
    duration: "3m"
    severity: "warning"

🔧 Troubleshooting

Common Issue Diagnosis

  1. API Response Timeouts

    • Check database connection pool configuration
    • Verify third-party service response times
    • Optimize complex query performance
  2. Payment Processing Failures

    • Verify PSP connection status
    • Check payment token validity
    • Confirm PCI compliance configuration
  3. Missing Webhook Events

    • Verify HMAC signature configuration
    • Check network connection stability
    • Confirm retry mechanism is working

📈 Performance Optimization

Response Time Optimization

  • API Response Time: < 2 seconds
  • Database Optimization: Optimize queries and indexing
  • Caching Strategy: Implement appropriate caching mechanisms
  • CDN Configuration: Configure CDN for static resources

Scalability Considerations

  • Horizontal Scaling: Support for multiple server instances
  • Database Scaling: Read replicas and connection pooling
  • Queue Management: Async processing for heavy operations
  • Circuit Breakers: Implement circuit breakers for external services

Security Hardening

  • Input Validation: Comprehensive input sanitization
  • SQL Injection Prevention: Use parameterized queries
  • XSS Protection: Implement proper output encoding
  • CSRF Protection: Use CSRF tokens for state-changing operations

🎯 Go-Live Process

Pre-Launch Validation

  • Complete all sandbox testing requirements
  • Verify pre-production environment functionality
  • Implement gradual rollout strategy
  • Validate production monitoring is working
  • Prepare rapid rollback procedures

Launch Day Checklist

  • Monitor all key metrics closely
  • Have support team on standby
  • Verify webhook delivery is working
  • Check payment processing flows
  • Monitor error rates and response times

Post-Launch Monitoring

  • 24-hour monitoring of all systems
  • Daily review of key metrics
  • Weekly performance analysis
  • Monthly security audit
  • Quarterly compliance review

Through following this production deployment guide, you can ensure the stability, security, and compliance of your ACP protocol integration, providing users with a high-quality AI-driven shopping experience.