Skip to main content

Authentication

Instructions for authenticating with Delfinance APIs.

Security requirements

All requests must include proper authentication and account identification headers.
Authentication requirements differ between Sandbox and Production environments.

Production Environment

To consume the HTTP APIs in Production, your integration must meet all requirements below:

1. Required Headers

You must send:

HeaderRequiredDescription
x-delbank-api-keyYesAuthenticates the client
x-delfinance-account-idYesIdentifies the account being accessed, and must be associated to the API key

Note: HTTP headers are case-insensitive, but we recommend using the exact header names above for consistency.

Header Responsibilities

  • x-delbank-api-key

    • Authenticates your organization.
    • Determines whether your integration is authorized to access the API.

  • x-delfinance-account-id

    • Identifies which specific account the request is operating on.
    • Must be associated with the provided API key.

If the API key is valid but not authorized for the specified account, the request will be rejected.

2. mTLS (Mutual TLS)

Production requires mTLS (TLS with client certificate authentication).

  • You will have to inform a valid client certificate and corresponding private key on your stack (gateway, app, SDK, código-fonte, etc.).
  • Requests without a valid client certificate will be rejected.

3. IP Allowlist (Static Egress IP)

Production access also requires IP allowlisting.

  • You must provide your fixed public outbound (egress) IP addresses in advance.
  • Only requests originating from approved IPs will be accepted.
  • Requests from IPs outside the allowlist will be rejected.

It is the client’s responsibility to ensure these IPs:

  • Do not change
  • Are used exclusively for API communication
IP Allowlist enforcement required in production from February/2026 onward.

Sandbox Environment

In Sandbox, security requirements are simplified:

  • x-delbank-api-key is required
  • x-delfinance-account-id is required
  • ❌ mTLS is NOT required
  • ❌ IP allowlisting is NOT required
Sandbox is intended for development and integration testing only.

For Sandbox testing, you may use one of the accounts below (with their respective API keys):

Account IDAPI Key
31712PJPyJ2xGmyB9oDHyNIUwNOt1dgpgolBwcE16ybaKD5rYEc8ujLtarBP0nNw2FKdgK+5YJFciFwTdORlZsdaTzjEbKN5ut+Ag4xGy69bbtXJmzkzRDHry9ubYbMW4xFMb
29823PJPyJ2xGmyB9oDHyNIUwNOt1dgpgolBwcE16ybaKD5q5eXIoHXNudlu+EaCcwXyLnryGdeBNfqofzLQe9f7s/iMVnsMZrbAPO/cYn6pTQEHVErYL080/hmZYV8faI89D
30422PJPyJ2xGmyB9oDHyNIUwNOt1dgpgolBwcE16ybaKD5pqVEGTBg/p+APpf4ALsiVmjdB8Qh1tgmKPCyx1kSOz7Hd9IsepYPj6a0odInh0gT5hycP6CbnVo7+9TxvjnCtS
info

📘 Alternatively, you can request an individual API key via support: [email protected].