EnglishGetting startedAuthentication

Authentication

Every request to the INFI API requires authentication via Bearer token.

Header

Authorization: Bearer <YOUR_API_KEY>

Requests without this header return 401:

{ "error": "API key obrigatória. Use: Authorization: Bearer <key>" }

Invalid or revoked key:

{ "error": "API key inválida ou revogada." }

API key format

Every API key has the format:

infi_<64 hexadecimal characters>

Total: 69 characters. The first 16 characters (infi_ + 11 hex) form the public prefix, shown in the dashboard so you can identify which key is which without exposing the secret.

Generating and revoking

API keys are generated through the INFI dashboard, under Devices / API keys. Generation requires:

  • An account with approved KYC.
  • A verified responsible party email.

The full secret is shown only once at creation. If you lose it, generate a new key and revoke the old one.

Do not share the key

The API key works like a password. Do not commit it to Git, send it in messages, or expose it on a frontend. If it leaks, revoke it immediately in the dashboard.

Revocation takes effect within seconds. After revocation, requests using that key return 401.

Account preconditions

On every call, INFI checks:

  • Approved KYC. Otherwise: 403 "Conta não está aprovada para uso da API."
  • Account not blocked. Otherwise: 403 "Conta suspensa. Contate o suporte."

These checks use a cache of up to 30 seconds — changes in the dashboard propagate in seconds, not minutes.

Idempotency

On POST /v1/pix, send an externalRef in the body to ensure that retries do not create duplicate charges. See Idempotency.

IP allowlist

Your account can have an IP allowlist enabled (configured by the INFI team). When active, requests from IPs outside the list return:

{ "error": "IP de origem não autorizado para esta chave." }

See IP allowlist.

Relationship with dashboard 2FA

Two-factor authentication (TOTP) available in the merchant dashboard does not apply to the REST API. API protections are:

  • API key (Bearer token).
  • IP allowlist (optional).
  • Per-key rate limit.

You can enable 2FA in the dashboard without changing how your API integrations behave. Withdrawals initiated through the dashboard then require a TOTP code; withdrawals initiated through POST /v1/withdraw continue to require only the API key.

EnvironmentsCharge lifecycle