WebPinch
All posts
UATQAagency workflow

The agency UAT checklist: 60+ checks before you ship a client website

May 11, 2026·6 min read

User acceptance testing is where promising agency projects die. Not because the work is wrong, but because the launch surfaces issues that should have been caught a week earlier. Below is the UAT checklist we recommend to agencies running real client projects — exhaustive on purpose, opinionated where it matters, and organised so you can run it as a board.

Copy this list into your project tool as a checklist. Tick each item once verified. Don't ship until the list is clean.

Phase 0 — Pre-UAT setup (before testing starts)

Most UAT failures trace back to bad setup. Get this right and the rest of UAT is mechanical.

  • UAT environment is identified. Confirm whether testing happens on staging, pre-prod, or production. If it's not isolated, decide explicitly that you're testing live.
  • UAT environment matches production config. Same database structure, same environment variables, same payment processor mode (test vs live), same email provider config.
  • Test data is loaded. Don't UAT against an empty database — load realistic content volumes.
  • Test user accounts are created. One per role: admin, regular user, guest, suspended/blocked, plus any custom roles.
  • UAT tracker is set up. Kanban board, spreadsheet, or feedback tool — pick one and don't split issues across multiple tools.
  • Reviewer access is confirmed. Send the URLs and credentials at least 24 hours before UAT starts. Test that each reviewer can actually log in.
  • Browser/device matrix is agreed. Decide which browsers and devices are in scope. Don't UAT on browsers your team isn't going to support.
  • Sign-off criteria are explicit. Define what "passed UAT" actually means — every item closed, or every blocker closed, or some other state.

Phase 1 — Functional checks

Navigation and core flows

  • Every navigation link resolves to the right page (no 404s).
  • Logo links back to the homepage.
  • Breadcrumb trails are correct on every page with breadcrumbs.
  • Back button works from every page (no broken history stacks from SPA misconfiguration).
  • Active-nav state highlights the current section.
  • Footer links work.

Forms

  • Every form submits successfully with valid input.
  • Required-field validation triggers correctly.
  • Email format validation accepts the edge cases (name+tag@domain.co.uk, etc.).
  • Error messages are clear and appear near the offending field.
  • Success state is unambiguous — confirmation message, redirect, or both.
  • Submit button is disabled during submission to prevent double-submits.
  • Forms work without JavaScript on critical pages (e.g. contact, checkout).
  • Submitted data lands in the right place (database, CRM, email).

Authentication and accounts

  • Signup → confirmation email → login flow works end-to-end.
  • Forgot-password flow works.
  • Logout clears the session everywhere (no zombie sessions in other tabs).
  • Session expiry behaves as designed.
  • "Remember me" persists across browser restarts when checked.
  • Brute-force protection / rate limiting works (try a few wrong logins).

Payments and commerce

  • Test card transactions complete and produce the right confirmation.
  • Failed-card flow is graceful (clear error, no double-charge).
  • Order confirmation emails arrive within 60 seconds.
  • Receipt content is correct (line items, taxes, totals).
  • Refund flow works in the admin (don't ship without testing this).
  • Currency / tax / shipping rules are correct for every market in scope.

Phase 2 — Visual checks

Responsive design

  • Desktop (1440 wide and 1920 wide).
  • Laptop (1280 wide).
  • Tablet portrait (768 wide).
  • Mobile (375 and 414 wide).
  • No horizontal scroll on any breakpoint.
  • Tap targets on mobile are at least 44×44 px.
  • Text doesn't overflow containers at any breakpoint.

Browser rendering

  • Chrome (latest two versions).
  • Safari (latest, plus the previous major if iOS is in scope).
  • Firefox (latest).
  • Edge (latest).
  • Mobile Safari on iOS (real device, not just simulator).
  • Chrome on Android (real device).

Visual polish

  • Fonts load on every page (no FOUT longer than 200ms after first visit).
  • Images have explicit dimensions to prevent layout shift.
  • Hero images and above-the-fold content load quickly.
  • Hover, focus, and active states are styled.
  • Focus rings are visible (don't strip them for accessibility).
  • Dark mode renders correctly if supported.
  • Print stylesheet exists for pages that get printed (invoices, receipts).

Phase 3 — Performance

  • Largest Contentful Paint < 2.5s on a Moto G Power (Chrome's mid-tier device profile) over 4G.
  • Cumulative Layout Shift < 0.1.
  • Total Blocking Time < 200ms.
  • Lighthouse Performance score ≥ 90 on the homepage and the top three landing pages.
  • Images are served as WebP or AVIF where supported.
  • Above-the-fold images use loading="eager"; below-the-fold use loading="lazy".
  • Critical CSS is inlined for the first paint.
  • No third-party scripts blocking initial render.

Phase 4 — Content and copy

  • No Lorem Ipsum anywhere in production content.
  • No "TODO", "FIXME", or placeholder text in user-facing copy.
  • All typos surfaced by a final spell-check pass.
  • Dates and numbers use the right locale formatting.
  • Phone numbers, addresses, and contact details are correct.
  • Legal pages exist: Privacy Policy, Terms, Cookie Policy.
  • Cookie consent banner is functional (consent saved, suppressed on subsequent visits).
  • Image alt text on every meaningful image.

Phase 5 — SEO checks

  • Every page has a unique <title>.
  • Every page has a unique meta description.
  • Canonical URLs are set correctly (no self-canonical pointing to staging).
  • robots.txt blocks staging; allows production. Don't ship a robots that blocks the whole site.
  • sitemap.xml is present, current, and submitted to Search Console.
  • Structured data (Organization, Product, Article, FAQ) validates in Google's Rich Results Test.
  • Open Graph and Twitter card tags render correctly when pasted into Slack or Twitter.
  • 301 redirects from old URLs are in place if migrating from an existing site.

Phase 6 — Analytics and tracking

  • GA4 or chosen analytics platform fires on every page.
  • Goals / conversions are configured.
  • UTM parameters are preserved through redirects.
  • Form submissions are tracked as events.
  • Outbound clicks on important links are tracked.
  • Tag Manager (if used) has no debug-mode-only firing rules left on.
  • Marketing pixels (Facebook, LinkedIn, etc.) fire on the right events.

Phase 7 — Accessibility quick checks

A full accessibility audit is its own project. These are the minimum checks for a launch:

  • Keyboard navigation works through every interactive element.
  • Tab order is logical.
  • Skip-to-content link exists.
  • Colour contrast meets WCAG AA on text and interactive elements.
  • Form fields have associated labels (not just placeholders).
  • Images have alt text; decorative images have empty alt.
  • No content flashes more than three times per second.
  • Aria attributes are present where needed; not over-used.

Phase 8 — Final pre-launch

  • SSL certificate is valid and covers all subdomains in use.
  • DNS is configured for the launch domain.
  • Email deliverability is tested (SPF, DKIM, DMARC records in place).
  • Backup of the production database has been taken.
  • Rollback plan is documented.
  • Launch-day point person is identified.
  • Client has been briefed on the launch sequence.
  • Monitoring is configured (uptime ping, error tracker, performance budget).

How to run this as a board, not a spreadsheet

UAT spreadsheets become unmanageable above forty items. Run UAT as a Kanban board instead — one card per check, with statuses for To verify, Fail (issue logged), Passed. Visual feedback tools like WebPinch let you pin issues directly on the page during the UAT pass; each pin becomes a card with a screenshot, browser, OS, and DOM element automatically attached. Launch when every card is in Passed.

The items most agencies miss

  • Form double-submission. Easy to forget, painful for the client when it happens in production.
  • Email deliverability. A signup flow that "works" until the confirmation email lands in spam is a launch-blocking bug.
  • Cookie consent on the staging environment. If staging has consent banner suppressed, you can ship a site where the banner is broken in prod.
  • Robots.txt left in staging-block mode. The single most common SEO disaster.
  • The 404 page itself. People do hit it. Make sure it's branded and links back into the site.
  • Real-device mobile testing. Simulator and Chrome devtools don't catch everything.

The summary

UAT isn't a single review — it's eight phases of structured checks that catch different classes of bug. Run them in order on a board, not in your head, and "are we ready to ship?" becomes a question with a clear answer: yes, when the board is clear.

Try WebPinch free

Pin feedback on any website, capture screenshots automatically, and track everything on a Kanban board.

Start for freeAdd to Chrome

Keep reading

What technical info to capture in a bug report (and how to automate it)

The five fields every bug report needs, why most are missing, and how to capture them automatically so reporters only have to describe the symptom.

May 11, 2026 · 5 min

How to run a design review with clients — on the live build, not the mockup

Mockups lie about how things look in real browsers. Run design reviews on the implemented build, capture feedback in-place, and burn down a Kanban board to sign-off. A practical, end-to-end workflow for agencies.

May 11, 2026 · 5 min

BugHerd vs Pastel vs WebPinch: which client feedback tool to pick

An honest, use-case-first comparison of three visual feedback tools — when each one is the right pick, what each one gets wrong, and how to decide without a 30-day trial.

May 11, 2026 · 5 min