DEV Community

yongsheng he
yongsheng he

Posted on

Lessons learned integrating Paddle (Sandbox to Live) & fixing DMARC as a solo dev

#saas #security #startup #tutorial

Hi everyone,

I recently finished building a micro-SaaS (a local-first text comparison tool) and wanted to share some technical hurdles I faced this week regarding payments and emails. Hopefully, this saves some of you a few hours of headache.

I chose Paddle as the MoR (Merchant of Record) to handle global taxes, but the transition from Sandbox to Production was trickier than the documentation suggested.

1. The "Location" Trap with Payoneer
I'm based in a region where I use Payoneer to receive USD.

  • The Mistake: In the Paddle dashboard, I initially tried to set my country to "United States" because the Payoneer bank account is technically in the US.
  • The Fix: You must select your actual residence country (e.g., China/India) but select "Payoneer" as the payout method. Paddle has a direct integration. If you lie about the location to match the bank, you will fail the KYC/KYB identity verification.

2. The API Permission "Gotcha"
I spent hours debugging a 403 Forbidden error when trying to cancel a subscription via the Node.js SDK.

  • The Cause: My Live API Key had "Full Access" but apparently, you must explicitly check the "Write" permission for Subscriptions when generating the key. It doesn't default to "Write" even if you think you selected everything.
  • Also: Don't forget to switch your SDK initialization from Environment.sandbox to Environment.production. It sounds obvious, but it's easy to miss in the config.

3. Emails going to Spam (Resend + Gmail)
I use Resend for magic links. Even with SPF and DKIM set up in Cloudflare, my emails were hitting Gmail's spam folder.

  • The Missing Piece: DMARC.
  • Gmail's 2024 rules are strict. Even if your SPF passes, without a _dmarc TXT record (even just v=DMARC1; p=none;), new domains have a very hard time hitting the inbox. Once I added this record and waited 15 mins, I got the green "PASS" in Gmail's original message headers.

Current Status:
The app is finally live with Pro plans working. It’s been a steep learning curve moving from "coding features" to "managing infrastructure."

Happy to answer any questions about the Paddle verification process if anyone is stuck there!

I built these learnings while working on PrivacyDiff - a secure local-first comparison tool.

Top comments (0)