Initiate a PIX withdrawal

POST/v1/withdraw

Initiates a PIX withdrawal to an external key.

Preconditions

Available balance ≥ amountCents + feeCents, approved KYC, account not blocked, allowed PIX key type. Synchronous failures do not debit the balance.

Headers

Header	Required	Description
`Authorization`	yes	`Bearer <YOUR_API_KEY>`
`Content-Type`	yes	`application/json`

Body

{
  "amountCents": 5000,
  "pixKey": "12345678901",
  "pixKeyType": "cpf",
  "description": "Commission payout",
  "externalRef": "withdraw-2026-05-08-001"
}

Field	Type	Req.	Description
`amountCents`	integer	yes	Amount in cents. Minimum: `100`.
`pixKey`	string	yes	The recipient’s PIX key. Max 150 characters.
`pixKeyType`	string	yes	`cpf`, `cnpj`, `email`, `phone` or `evp` (see mode-specific restrictions below). Variations in case and whitespace are normalized — `"CPF"`, `"Cnpj"`, `" email "` are accepted.
`description`	string	no	Free-form description. Max 200 characters.
`externalRef`	string	no	Recommended. Your idempotency key (max 100 characters). Two requests with the same `externalRef` receive the same transaction — protects against duplication on retries. See callout below.
`recipientId`	string	no	ID of the third-party recipient pre-approved by INFI (24 hex characters). Without this field, the withdrawal goes to the account holder (registered CPF/CNPJ). With this field, the withdrawal goes to the authorized third party. See “Withdrawals to third parties” below.

Idempotency via externalRef (recommended)

Whenever possible, send a unique externalRef per withdrawal. If your call fails with timeout, network drop or your service crashes, resend the request with the same externalRef — the response will return the original transaction with idempotent: true, without creating a duplicate withdrawal.

Without externalRef, retries create separate withdrawals — real risk of duplication. Always use something unique and stable (e.g., internal ID in your system, UUID).

Two withdrawal modes

Mode 1 — Withdrawal to the account holder (default, no `recipientId`)

Default behavior. Accepts only keys of type cpf or cnpj belonging to the account holder:

pixKeyType: "cpf" → the key must match the CPF of the registered responsible party.
pixKeyType: "cnpj" → the key must match the CNPJ of the registered company.

Other types (email, phone, evp) are only accepted in Mode 2 (authorized third party).

Mode 2 — Withdrawal to an authorized third party (with `recipientId`)

To withdraw to a CPF/CNPJ that is not the account holder (e.g., recurring supplier, inter-company transfer), the recipient must be pre-approved by the INFI team.

How to request approval: contact INFI support with the legal name and CPF/CNPJ of the recipient. The team evaluates the case (compliance/AML) and, if approved, the recipientId (24 hex characters) becomes available through GET /v1/recipients. There is no self-service registration endpoint — every approval is manual with audit trail.

Restrictions in Mode 2:

Accepts all 5 PIX key types (cpf, cnpj, email, phone, evp).
For pixKeyType: "cpf" or "cnpj": the key must match exactly the approved recipient’s document.
For email/phone/evp: INFI trusts that the destination resolves in the BACEN DICT to the approved document. The PSP rejects if there is a mismatch.
Every third-party withdrawal triggers an internal alert at INFI (continuous audit).

Prior approval is mandatory

You cannot withdraw to any CPF/CNPJ via API — only to recipients that the INFI team previously approved for your account. Each approval goes through compliance review and generates an audit trail.

Response `201 Created`

Automatic mode (default)

{
  "transactionId": "...",
  "status": "processing",
  "amountCents": 5000,
  "feeCents": 100,
  "totalDeducted": 5100
}

Balance has been debited (totalDeducted = amountCents + feeCents). Wait for the TRANSFER_PAID webhook or check the status.

Manual approval mode

{
  "transactionId": "...",
  "status": "pending_approval",
  "amountCents": 5000,
  "feeCents": 100,
  "totalDeducted": 5100
}

Balance has not been debited yet. Awaits INFI team review. See Withdrawal lifecycle.

Response `200 OK` (idempotent retry)

When you resend a request with an externalRef that already exists, the response has status 200 (instead of 201) and includes idempotent: true:

{
  "transactionId": "...",
  "status": "processing",
  "amountCents": 5000,
  "feeCents": 100,
  "totalDeducted": 5100,
  "idempotent": true
}

The transactionId is the same as the original call. No new withdrawal is created, no additional balance is debited.

Error responses / special cases

HTTP	Body	Meaning
400	`"amountCents deve ser inteiro ≥ 100..."`	Invalid amount.
400	`"pixKey obrigatória."`	Missing key.
400	`"pixKeyType deve ser 'cpf', 'cnpj', 'email', 'phone' ou 'evp'. Recebido: '<value>'."`	Unknown type after normalization.
400	`"Saque para chaves email/telefone/aleatória exige destinatário autorizado."`	`pixKeyType` is `email`/`phone`/`evp` but you did not send `recipientId`. Use Mode 2.
400	`"recipientId inválido."`	Invalid `recipientId` format (expected: 24 hex chars).
400	`"Tipo de chave (CPF/CNPJ) não bate com o tipo do documento do destinatário."`	You sent `pixKeyType: "cpf"` but the approved recipient is CNPJ (or vice-versa).
404	`"Destinatário autorizado não encontrado."`	`recipientId` does not exist for this account. Check with support.
422	`"Destinatário desativado pelo time INFI. Saque cancelado."`	The recipient was deactivated (compliance/AML). Request re-approval.
403	`"Chave PIX (CPF/CNPJ) não corresponde ao documento do destinatário autorizado."`	Mode 2 with `cpf`/`cnpj` requires the PIX key to equal the approved document.
400	`"Saque acima do máximo..."`	Exceeds per-transaction limit.
401	`"API key inválida ou revogada."`	—
403	`"Tipo de chave PIX 'X' não autorizado para esta conta."`	Account restriction.
403	`"Saque com chave CNPJ só permitido para o CNPJ cadastrado..."`	Account-holder constraint.
403	`"Saque com chave CPF só permitido para o CPF do responsável..."`	Account-holder constraint.
403	`"IP de origem não autorizado..."`	IP allowlist.
422	`"Saldo insuficiente para realizar o saque."`	Balance + fee > available.
429	`"Aguarde alguns segundos antes do próximo saque."`	Anti-burst rate limit (1/second).
429	`"Muitos saques em curto intervalo. Aguarde alguns instantes."`	Anti-burst rate limit (2/minute).
429	`"Limite de saques atingido."`	Hourly rate limit (10/hour).
502	`"Erro ao processar saque. O valor não foi debitado."`	Provider failure with rollback.
502	`"Saque iniciado mas confirmação interrompida..."`	Operation completed, response interrupted. Query the returned `transactionId`.
202	`"Saque em verificação. Saldo debitado..."`	Indeterminate state. Do not resend. See `failed_unknown`.

Examples

curl -X POST https://api.internationalfinance.com.br/v1/withdraw \
  -H "Authorization: Bearer $INFI_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "amountCents": 5000,
    "pixKey": "12345678901",
    "pixKeyType": "cpf",
    "description": "Payout",
    "externalRef": "withdraw-2026-05-08-001"
  }'

// Always use a unique and stable externalRef — protects against duplication on retries.
const res = await fetch('https://api.internationalfinance.com.br/v1/withdraw', {
  method: 'POST',
  headers: {
    Authorization: `Bearer ${process.env.INFI_API_KEY}`,
    'Content-Type': 'application/json',
  },
  body: JSON.stringify({
    amountCents: 5000,
    pixKey: '12345678901',
    pixKeyType: 'cpf',
    description: 'Payout',
    externalRef: 'withdraw-2026-05-08-001',
  }),
})
const body = await res.json()
if (res.status === 202) {
  // failed_unknown — DO NOT resend
  console.warn('withdrawal under verification', body.transactionId)
} else if (!res.ok) {
  throw new Error(`INFI ${res.status}: ${body.error}`)
}
if (body.idempotent) {
  console.info('idempotent retry — reusing transaction', body.transactionId)
}
const withdrawal = body

import os, requests
 
# Always use a unique and stable externalRef — protects against duplication on retries.
res = requests.post(
    "https://api.internationalfinance.com.br/v1/withdraw",
    headers={
        "Authorization": f"Bearer {os.environ['INFI_API_KEY']}",
        "Content-Type": "application/json",
    },
    json={
        "amountCents": 5000,
        "pixKey": "12345678901",
        "pixKeyType": "cpf",
        "description": "Payout",
        "externalRef": "withdraw-2026-05-08-001",
    },
)
body = res.json()
if res.status_code == 202:
    # failed_unknown — do not resend
    pass
elif not res.ok:
    raise RuntimeError(body.get("error"))
if body.get("idempotent"):
    print("idempotent retry — reusing transaction", body["transactionId"])
withdrawal = body

<?php
$client = new GuzzleHttp\Client(['http_errors' => false]);
// Always use a unique and stable externalRef — protects against duplication on retries.
$res = $client->post('https://api.internationalfinance.com.br/v1/withdraw', [
  'headers' => [
    'Authorization' => 'Bearer ' . getenv('INFI_API_KEY'),
    'Content-Type'  => 'application/json',
  ],
  'json' => [
    'amountCents' => 5000,
    'pixKey'      => '12345678901',
    'pixKeyType'  => 'cpf',
    'description' => 'Payout',
    'externalRef' => 'withdraw-2026-05-08-001',
  ],
]);
$body = json_decode($res->getBody(), true);
if ($res->getStatusCode() === 202) {
  // failed_unknown — do not resend
}

Example: withdrawal to an authorized third party (Mode 2)

Use the recipientId returned by the INFI team after approving your recipient:

curl -X POST https://api.internationalfinance.com.br/v1/withdraw \
  -H "Authorization: Bearer $INFI_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "amountCents": 5000,
    "pixKey": "supplier@company.com",
    "pixKeyType": "email",
    "recipientId": "abc123def456abc123def456",
    "description": "Payment to supplier X",
    "externalRef": "supplier-payment-2026-05-15"
  }'

The response has the same format as the previous examples. You can mix cpf/cnpj/email/phone/evp in pixKeyType as long as the recipient is approved and (for cpf/cnpj) the key matches the approved document exactly.

Create a PIX charge Register a recipient