You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
ZAPPY is a Banking as a Service (BaaS) platform. It provides a secure, compliant infrastructure for banking operations with a modern REST API interface.
The platform enables:
Digital Banking Operations: Account management, transactions, and comprehensive banking services
PIX Integration: Brazilian instant payment system with QR code generation, payments, and key management
Identity & Access Management: JWT-based authentication and session management
Webhook Processing: Event-driven architecture for real-time banking event distribution to customers
Architecture:
IAM Service (Identity and Access Management): User authentication, JWT tokens, session management
BaaS Service (Banking as a Service): Banking API integration, PIX operations, webhook reception and message transformation
Relay Service (Webhook Relay): Distributes webhooks to customers via Pub/Sub (Internal Service - Not documented here)
Platform features:
Multi-tenant: Supports multiple customers on shared infrastructure
Event-driven: Uses Pub/Sub for asynchronous webhook processing
Secure: Defense-in-depth with load balancer, WAF, internal-only serverless services
Banking Compliant: Audit logging, data retention, and compliance-ready architecture
High Availability: Redundant infrastructure with in-memory caching and relational data storage
The platform provides a modern API interface for banking operations with robust security, scalability, and compliance features.
IAM: Identity and Access Management
The IAM (Identity and Access Management) Service provides authentication and session management for the ZAPPY platform. This service allows you to securely authenticate users, manage access tokens, and maintain user sessions throughout your application. All authentication requests are made through the /iam/v1 endpoint base path.
The service supports standard authentication workflows including user login, logout, and token refresh capabilities. When you successfully authenticate a user, you'll receive both an access token for making authenticated API requests and a refresh token for obtaining new access tokens when they expire. Access tokens are short-lived (15 minutes expiration) for security purposes and should be included in the Authorization header of subsequent API requests to protected endpoints. Refresh tokens are valid for 15 days and can be used to obtain new access tokens without requiring the user to log in again.
For applications using an external session management system, the IAM service provides a BFF (Backend For Frontend) integration endpoint that allows you to exchange your existing session identifiers for ZAPPY access tokens, enabling seamless integration with the platform's banking services.
Authentication
POST /iam/v1/auth/login
Authenticates a user and returns a JWT token and refresh token for subsequent requests. The access_token (JWT has 15 minutes expiration) is used for API requests, while the refresh_token (Hash has 15 days expiration) is used to obtain a new access_token when it expires.
{
"code": 401,
"message": "user credentials don't match with our records"
}
Refresh Token
POST /iam/v1/auth/refresh
Refreshes the access token using a valid refresh token. When your access token expires, use this endpoint to obtain a new access token without requiring the user to log in again. The refresh token itself will also be rotated for security purposes.
{
"code": 401,
"message": "the refresh token is invalid"
}
Logout
POST /iam/v1/auth/logout
Logs out the user by invalidating the refresh token. After calling this endpoint, both the access token and refresh token will no longer be valid, and the user will need to log in again to obtain new tokens.
Request:
{
"refresh_token": "string"// required
}
Response 200 OK:
{
"code": 200,
"message": "the user session has been successfully logged out"
}
Response 401 Unauthorized:
{
"code": 401,
"message": "the refresh token is invalid"
}
BFF Session Integration
POST /iam/v1/bff/session
Creates JWT tokens from an external BFF (Backend For Frontend) session ID. This endpoint enables integration with external session management systems by allowing you to exchange a valid BFF session identifier for ZAPPY access and refresh tokens. The session ID is validated against the external BFF service before tokens are issued.
{
"error": "bff_unavailable",
"message": "BFF service unavailable or endpoint not implemented",
"details": {
"error": "string"
}
}
Create User
POST /iam/v1/users
Creates a new user account in the ZAPPY platform. This endpoint requires JWT authentication and allows you to provision new user accounts with their credentials. The password must meet strong password requirements including a mix of letters, numbers, and special characters.
The BaaS (Banking as a Service) Service provides comprehensive banking operations and instant payment capabilities through the /baas/v1 endpoint base path. This service enables you to perform account management operations such as retrieving account balances, transaction history, and detailed financial reports. All account-specific requests to this service require a valid access token obtained from the IAM service, and the account-specific operations must include the account ID in the request path.
The service offers complete PIX integration, Brazil's instant payment system, allowing you to generate dynamic QR codes for receiving payments, execute withdrawals (outgoing transfers to other banks via PIX or traditional bank transfers), manage PIX keys, and process refunds. PIX operations include real-time transaction tracking, the ability to cancel pending transactions, and comprehensive transaction history queries with flexible filtering options. Each account can have multiple registered PIX keys that enable simplified payment identification and collection.
The BaaS service supports PIX Automatic (Pix Automático), enabling receivers to create recurring payment consents directly or via QR codes, and payers to manage consent approvals and scheduled payments.
The BaaS service also provides webhook endpoints for receiving real-time notifications about transaction events. These webhooks notify your application immediately when PIX payments are received, withdrawals are completed, refunds are processed, PIX key status changes occur, or PIX Automatic consent and schedule events happen. This event-driven architecture ensures your application stays synchronized with all banking activities without the need for constant polling.
Reference Data
The Reference Data endpoints provide access to enumerated types and lookup values used throughout the BaaS API. These public endpoints do not require authentication and return standardized lists of valid values for operation types and transaction subtypes.
Get Operation Types
GET /baas/v1/operation/types
Returns a list of all valid operation types supported by the platform. Operation types categorize the nature of banking operations (e.g., PIX transfers, boleto payments, account operations). Use these values to filter transactions via the operation_type parameter in the Get Account Transactions endpoint.
Note: The complete list includes 44 operation types. Use this endpoint to retrieve all current values.
Get Transaction Subtypes
GET /baas/v1/operation/subtypes
Returns a list of all valid transaction subtypes supported by the platform. Subtypes provide detailed categorization of transactions within each operation type (e.g., "Credit Pix in", "Pre-debit Pix out", "Manual credit"). Each transaction in your account history includes a subtype that describes the specific nature of the banking operation.
21 - Initial balance (filtered by default in transactions)
22 - Final balance (filtered by default in transactions)
222 - Credit Pix in
242 - Pre-debit Pix out
244 - Debit Pix out
Note: The complete list includes 380+ subtypes (IDs 0-379). Use this endpoint to retrieve all current values and their descriptions.
Account Management
Get Account Transactions
POST /baas/v1/account/:id/transactions
Retrieves the transaction history for a specific account within a date range. This endpoint returns paginated transaction data along with current account balance and account details. By default, balance entries (Initial/Final Balance) are filtered out unless the raw parameter is set to true.
Generates a detailed account balance report for a specific date range. The report is generated asynchronously and will be sent to the provided email address once processing is complete. This is useful for generating monthly statements or financial reports.
{
"message": "Your account report request has been received and is being processed. You will receive the report file at the provided email address shortly.",
"status": "processing",
"updated_at": "2024-01-01T12:00:00Z"
}
Response 404 Not Found:
{
"code": 404,
"message": "Account not found"
}
PIX QR Code Operations
Generate PIX QR Code
POST /baas/v1/account/:id/pix/qrcode
Generates a dynamic PIX QR code for receiving payments. The QR code can be configured with a specific value, expiration date, and payer information. Once generated, the QR code can be presented to customers who can scan it with their banking app to complete the payment. The account must have at least one registered PIX key to generate QR codes.
{
"code": 422,
"message": "No PIX key registered for this account"
}
Get PIX QR Code
GET /baas/v1/account/:id/pix/qrcode/:reference
Retrieves detailed information about a previously generated PIX QR code using its reference identifier. This includes the QR code hash, payer and receiver information, location details, status, and expiration date.
{
"code": 404,
"message": "The qrcode reference 'string' not found or expired."
}
Cancel PIX QR Code
DELETE /baas/v1/account/:id/pix/qrcode/:reference
Cancels a previously generated PIX QR code by its reference identifier. Once canceled, the QR code can no longer be used to receive payments. This is useful when you need to invalidate a QR code before its expiration date.
{
"code": 404,
"message": "The qrcode reference 'string' not found or expired."
}
PIX Transactions
Get PIX Transactions
POST /baas/v1/account/:id/pix/transactions
Retrieves the history of incoming PIX payments (PIX In) for a specific account within a date range. This endpoint returns paginated transaction data including payer information, QR code details, end-to-end IDs, and payment status.
This endpoint returns only completed transactions (payments that have been received and processed)
Pending QR codes are NOT included in this list - use the single transaction endpoint (GET /baas/v1/account/:id/pix/transactions/:reference) to check if a specific QR code has been paid
Transactions are filtered by the paid_at date within the specified date range
The payer object contains the actual payment initiator's information, which may differ from the QR code's expected payer (for anonymous QR codes)
Get PIX Transaction
GET /baas/v1/account/:id/pix/transactions/:reference
Retrieves detailed information about a specific PIX In transaction using its QR code reference identifier. The transaction reference must have been created within the last 24 hours (cache TTL).
{
"code": "ZPY.PIX.017",
"message": "The transaction reference 'my-order-123' was not found."
}
Important Notes:
The reference must be the same value used when generating the QR code
Transaction references are cached for 24 hours after QR code generation
After cache expiration, the transaction cannot be retrieved via this endpoint (use the date-range search instead)
Transaction Status Values:
Status
Description
pending
QR code exists but payment has not been received yet
expired
QR code expired before payment was received
created
Payment received and credited to account
registered
Payment registered in the banking system (intermediate state)
settled
Payment successfully settled (final state)
canceled
Transaction was canceled
Status Determination Logic:
This endpoint uses a multi-tier cache strategy to determine transaction status:
QR Code Lookup: First, the system checks if the QR code reference exists
If not found → Returns 404 error
If found → Proceeds to payment check
Payment Check: System checks if a payment webhook has been received
If NO payment received:
QR code expired → Returns expired status
QR code still valid → Returns pending status
If payment received → Queries provider for actual transaction status
Provider Status: For paid transactions, the status is retrieved from the banking provider and normalized to lowercase (settled, canceled, etc.)
Payer Data Availability:
The payer field behavior depends on the transaction status and QR code type:
Transaction State
payer Field
Pending
null (omitted from response)
Expired
null (omitted from response)
Paid
Contains actual payer information
Anonymous QR Codes:
When a QR code is generated without payer information (anonymous):
The payer object is present in paid transactions
payer.name and payer.tax_number contain the actual payment initiator's data (the person who paid)
These values come from the payment transaction, not from the QR code generation
Response Field Availability by Status:
Field
pending
expired
settled/paid
reference
✓
✓
✓
document_number
0
0
Payment doc number
e2e_id
"" (empty)
"" (empty)
Transaction E2E ID
origin
null (omitted)
null (omitted)
Origin bank data
destination
null (omitted)
null (omitted)
Destination bank data
payer
null (omitted)
null (omitted)
Payer information
payer.message
-
-
Omitted if empty
qrcode
✓
✓
✓
paid_at
"" (empty)
"" (empty)
ISO 8601 datetime
status
"pending"
"expired"
Provider status
value
✓
✓
✓
Refund PIX In
POST /baas/v1/account/:id/pix/refund
Processes a refund for a previously received PIX payment. You can refund the full or partial amount of the original transaction. The refund is processed immediately and the funds are returned to the payer's account.
Retrieves the history of PIX refund transactions for a specific account within a date range. This includes both refunds you've processed (outgoing) and refunds you've received (incoming).
{
"code": 404,
"message": "The refund reference 'string' not found."
}
Webhook Configuration for PIX In Transactions:
To receive real-time notifications for PIX In payments and refunds, configure your account to listen to these webhook event types:
pix.in.paid - Incoming PIX payment settled
pix.refund.in.paid - Incoming refund completed
pix.refund.in.canceled - Incoming refund canceled
See the Webhooks section for complete documentation on webhook configuration, authentication, and payload examples.
PIX Key Management
Supported PIX Key Types
The ZAPPY platform supports the following PIX key types as defined by the Brazilian Central Bank. Each account can register multiple PIX keys to facilitate payment reception.
Accepted Key Types:
Type
Description
Format Example
SocialSecurity
Brazilian CPF (Individual Taxpayer ID)
12345678901 (11 digits)
TaxNumber
Brazilian CNPJ (Corporate Taxpayer ID)
12345678000199 (14 digits)
Email
Email address
user@example.com
PhoneNumber
Phone number with country code
+5511999999999
RandomKeyCode
Random UUID key generated by the system
123e4567-e89b-12d3-a456-426614174000
Important Notes:
These key type values are case-sensitive and must be used exactly as shown above
SocialSecurity corresponds to CPF (Cadastro de Pessoas Físicas)
TaxNumber corresponds to CNPJ (Cadastro Nacional da Pessoa Jurídica)
Each PIX key must be unique across the entire PIX ecosystem
Keys must be validated and registered with the Brazilian Central Bank before they can be used
Get PIX Keys
GET /baas/v1/account/:id/pix/keys
Retrieves all PIX keys registered for a specific account. PIX keys are identifiers that can be used to receive payments without sharing bank account details. Supported key types include CPF/CNPJ (SocialSecurity/TaxNumber), email, phone number, and random keys.
Retrieves the current status of a specific PIX key. PIX keys can have various statuses during their lifecycle including "registering", "registered", "canceling", and "canceled".
Retrieves detailed information about a PIX key including the receiver's bank details, name, and tax identification number. This information is retrieved from the Brazilian Central Bank's PIX key directory.
Cancels a PIX key registration. Once canceled, the key can no longer be used to receive payments. The cancellation process may take some time to be confirmed by the Brazilian Central Bank's PIX infrastructure.
Withdrawal transactions progress through different statuses during their lifecycle. Understanding these statuses is essential for tracking transaction processing and handling webhook notifications.
Possible Statuses:
Created: Transaction has been initiated and will be processed
Registered: Intermediate state - Transaction was registered in the SPI (Brazilian Instant Payment System) but not yet settled. This is not a final state.
Paid / Settled: Final state - Transaction settled successfully
Canceled: Final state - Transaction canceled
Important Notes:
Intermediate vs Final States: Registered is an intermediate processing state, not a completion status. Transactions in Registered state are still being processed. Only Paid/Settled and Canceled are final states indicating transaction completion.
Webhook Behavior: Only final states (Paid and Canceled) are sent via webhooks. You will not receive webhook notifications for intermediate states like Registered or Created.
Status Normalization: All status values in webhooks are normalized to lowercase (e.g., paid, canceled). The system automatically handles variations in status naming from the payment processor.
Webhook vs API Naming Differences:
While both webhooks and APIs report transaction statuses, there are key naming differences to be aware of:
Paid status in webhooks corresponds to Settled status in API responses (both indicate successful PIX payment settlement)
Canceled status in webhooks may appear as Cancel in some raw responses but is always normalized to canceled
Scheduled PixOut Behavior:
When a PixOut operation is scheduled for a future date, the transaction follows a specific workflow:
Transaction is stored with Created status immediately upon creation
No webhook notification is received at creation time
You must use the Get Withdrawal endpoint to query the transaction status during the waiting period
When the scheduled payment date arrives, the transaction is processed and a webhook with Paid status is sent
Note: To monitor scheduled withdrawals, implement regular polling using the Get Withdrawal endpoint or wait for the webhook notification when the scheduled date is reached.
Withdraw
POST /baas/v1/account/:id/withdraw
Initiates a withdrawal from the account to an external destination. Withdrawals can be made via PIX (instant transfer) or traditional bank transfer. For PIX withdrawals, you can specify a PIX key as the destination. For bank transfers, you must provide complete bank account details. The withdrawal will be processed according to the specified date.
The account_type field specifies the destination bank account type. If not provided, the system will attempt to use the account type from the PIX key lookup, or default to current.
Value
Description
current
Current account (Conta Corrente)
salary
Salary account (Conta Salário)
saving
Savings account (Conta Poupança)
payment
Payment account (Conta de Pagamento)
Important: Destination Tax Number for PIX Transfers
The destination.tax_number field is critical for PIX withdrawals using Email, PhoneNumber, or RandomKeyCode key types. Since these PIX key types don't directly contain the receiver's CPF/CNPJ, the system uses the destination.tax_number you provide as the receiver's tax identification.
For SocialSecurity or TaxNumber PIX keys: The PIX key itself is the tax number
For Email, PhoneNumber, or RandomKeyCode PIX keys: The destination.tax_number is used
Always ensure destination.tax_number contains the unmasked, valid CPF or CNPJ of the payment receiver.
{
"code": 400,
"message": "Validation failed",
"details": {
"errors": "Bank account details are required when method is 'bank_account'; Bank number is required for bank account transfers"
}
}
Get Withdrawal
GET /baas/v1/account/:id/withdraw/:reference
Retrieves detailed information about a specific withdrawal transaction using its reference identifier. This includes the origin and destination bank details, end-to-end ID (for PIX), payment date, and current status.
{
"code": 404,
"message": "The withdrawal reference 'string' not found."
}
Get Withdrawals
POST /baas/v1/account/:id/withdraws
Retrieves a paginated list of withdrawal transactions for a specific account within a date range. This includes both PIX transfers and traditional bank transfers.
Cancels a pending withdrawal transaction by its reference identifier. Only withdrawals that have not yet been processed can be canceled. Once a withdrawal is confirmed or completed, it cannot be canceled.
{
"code": 422,
"message": "Failed to cancel withdrawal"
}
Webhook Configuration for Withdrawals
To receive real-time notifications about withdrawal transaction events, your account must be configured to listen to the following webhook event types:
PIX Out Withdrawal Events:
pix.out.paid - Sent when withdrawal is paid/settled
pix.out.canceled - Sent when withdrawal is canceled
Configuration:
Use your BFF (Backend For Frontend) webhook settings to subscribe to these event types. You can subscribe to individual events or use wildcard patterns for broader coverage:
pix.out.* - Receive all PIX Out events
pix.out.paid - Receive only paid/settled notifications
pix.out.canceled - Receive only cancellation notifications
Important: Webhook notifications only include Paid and Canceled statuses. Other statuses (Created, Registered) are only available through API queries. Remember that Paid in webhooks corresponds to Settled in API responses.
Related Documentation:
See the Webhooks section for complete webhook documentation, payload examples, authentication methods, and retry policies
PIX Automatic (Pix Automático) is a Central Bank of Brazil innovation that enables automated recurring payments through the PIX instant payment system. This feature allows payers to pre-authorize recurring debits from their accounts, enabling businesses to automate collection of subscriptions, memberships, utility bills, and other recurring fees.
A payer's authorization for recurring debits. Contains frequency, value constraints, and validity period.
Schedule
An individual scheduled payment created from an approved consent. Represents a single payment execution.
Payer (Debtor)
The account holder who authorizes and pays the recurring charges.
Receiver (Creditor)
The business or individual who receives the recurring payments.
Key Features:
Payer Control: Payers can approve, modify, or cancel consents at any time
Flexible Value Types: Support for both fixed and variable payment amounts
Central Bank Compliance: Full compliance with Brazilian Central Bank regulations
Real-time Notifications: Webhook events for all consent and payment status changes
User Journeys
PIX Automatic supports two payer authorization journeys for consent confirmation:
Journey 1: Webhook-Based Consent Confirmation
This flow is triggered when a receiver initiates a consent request through their banking system.
┌─────────────────────────────────────────────────────────────────────────────┐
│ JOURNEY 1: WEBHOOK CONSENT CONFIRMATION │
└─────────────────────────────────────────────────────────────────────────────┘
Step 1: Receiver initiates consent request (external system)
↓
Step 2: Banking provider sends consent request to ZAPPY BaaS
↓
Step 3: ZAPPY BaaS sends webhook notification to your application
Event: pix.auto.consent.pending
↓
Step 4: Your app displays consent details to payer for review
- Receiver information
- Payment frequency and value
- Validity period
↓
Step 5: Payer approves or rejects in your app
↓
Step 6: Your app calls POST /auto-pix/consents/{cid}/confirm
{
"status": "approved",
"search_protocol": "...",
"notification": true
}
↓
Step 7: ZAPPY BaaS processes confirmation with banking provider
↓
Step 8: Result webhook sent to your application
Event: pix.auto.consent.approved OR pix.auto.consent.rejected
Important Notes:
The payer must review consent details before confirmation
The search_protocol from the webhook must be included in the confirmation request
Payers can set notification: true to receive alerts before each payment
Journey 2: QR Code Scanning
This flow is initiated when a payer scans a PIX Automatic QR code.
┌─────────────────────────────────────────────────────────────────────────────┐
│ JOURNEY 2: QR CODE CONSENT CONFIRMATION │
└─────────────────────────────────────────────────────────────────────────────┘
Step 1: Receiver generates PIX Automatic QR code (external system)
↓
Step 2: Payer scans QR code using your app
↓
Step 3: Your app calls GET /auto-pix/qrcode/{hash}
↓
Step 4: ZAPPY BaaS returns consent information:
{
"recurrence_id": "REC123",
"search_protocol": "PROTO456",
"receiver": { "name": "...", "tax_number": "..." },
"frequency": "monthly",
"value_type": "fixed",
"value": 9990
}
↓
Step 5: Your app displays consent details to payer for review
↓
Step 6: Payer approves or rejects in your app
↓
Step 7: Your app calls POST /auto-pix/consents/{cid}/confirm
(Same as Journey 1, Steps 6-8)
Important Notes:
QR codes contain encoded consent parameters
The search_protocol from QR code info must be used in confirmation
For variable value consents, payer can set maximum_value during confirmation
Receiver Journey 1: Create Recurrence (Direct)
This flow is initiated by the receiver (creditor) who wants to set up a recurring payment from a known debtor.
┌─────────────────────────────────────────────────────────────────────────────┐
│ RECEIVER JOURNEY 1: CREATE RECURRENCE (DIRECT) │
└─────────────────────────────────────────────────────────────────────────────┘
Step 1: Receiver calls POST /auto-pix/consents
{
"tax_number": "98765432100",
"frequency": "monthly",
"value_type": "fixed",
"value": 29.90,
"initial_date": "2025-02-15"
}
↓
Step 2: ZAPPY BaaS creates recurrence with the banking provider
↓
Step 3: Response: { "recurrence_id": "REC123", "status": "pending" }
↓
Step 4: Banking provider sends consent request to debtor's bank
↓
Step 5: ZAPPY BaaS receives confirmation webhook
Event: pix.auto.consent.confirm
→ Relayed to receiver's webhook endpoint
↓
Step 6: Debtor approves consent via their own banking app
↓
Step 7: ZAPPY BaaS receives notification webhook
Event: pix.auto.consent.approved
→ Relayed to receiver's webhook endpoint
↓
Step 8: Payments are automatically scheduled per frequency
Event: pix.auto.schedule.settled (for each payment)
→ Relayed to receiver's webhook endpoint
Important Notes:
The tax_number is required to identify the payer
The receiver must have a registered PIX key (or provide one in pix_key)
Once created, the consent awaits debtor approval via their own banking institution
Webhook events track the full lifecycle from confirmation to payment
Receiver Journey 2: Generate QR Code with Recurrence
This flow is initiated by the receiver who generates a QR code that encodes recurrence parameters. Any payer can scan this QR code to initiate the consent.
┌─────────────────────────────────────────────────────────────────────────────┐
│ RECEIVER JOURNEY 2: GENERATE QR CODE WITH RECURRENCE │
└─────────────────────────────────────────────────────────────────────────────┘
Step 1: Receiver calls POST /auto-pix/qrcode
{
"pix_key": "receiver@email.com",
"frequency": "monthly",
"value_type": "fixed",
"value": 29.90,
"initial_date": "2025-02-15"
}
↓
Step 2: ZAPPY BaaS generates QR code with the banking provider
↓
Step 3: Response:
{
"hash_code": "HASH123...",
"qrcode_base64": "iVBORw0KGgo...",
"document_number": 12345,
"reference": "unique-reference-uuid"
}
↓
Step 4: Receiver displays QR code to potential payer
↓
Step 5: Payer scans QR code with their banking app
↓
Step 6: Payer's banking app creates recurrence from QR code data
↓
Step 7: Same lifecycle as Receiver Journey 1 (Steps 5-8):
- pix.auto.consent.confirm → pix.auto.consent.approved
- pix.auto.schedule.settled (for each payment)
Important Notes:
A registered PIX key (pix_key) is required for QR code generation
The QR code can be scanned by any payer; tax_number is optional
The reference in the response can be used to look up QR code info later via GET /auto-pix/qrcode/:reference
The qrcode_base64 contains a Base64-encoded PNG image ready for display
Business Rules (Central Bank Compliance)
PIX Automatic operates under strict Central Bank of Brazil regulations. These rules are enforced by the platform and cannot be bypassed.
Scheduling Window
All scheduled payments must fall within the allowed scheduling window:
Constraint
Value
Description
Minimum
D+2
Payment must be scheduled at least 2 business days in advance
Maximum
D+10
Payment must be scheduled no more than 10 business days in advance
Example: If today is January 15th, valid payment dates are January 17th through January 25th.
Requests with payment dates outside this window will be rejected with error code ZPY.PXA.007.
Cancellation Cutoff Times
Different actors have different deadlines for canceling scheduled payments. All times are in America/Sao_Paulo timezone.
Actor
Cutoff Time
Description
Payer
11:59 PM on D-1
Payer can cancel until 1 minute before midnight on the day before payment
Receiver
9:59 PM on D-1
Receiver can cancel until 2 hours before payer cutoff
Example: For a payment scheduled on January 20th:
Payer can cancel until January 19th at 11:59 PM
Receiver can cancel until January 19th at 9:59 PM
Consent Cancellation Impact on Schedules
When a consent is canceled, the impact on existing schedules depends on timing:
Actor
Cancellation Time
D+1 Schedules
D+2+ Schedules
Payer
Any time
Canceled
Canceled
Receiver
Before 10:00 PM
Canceled
Canceled
Receiver
After 10:00 PM
Preserved
Canceled
Important: When a receiver cancels a consent after 10 PM, the next-day (D+1) payment will still be executed. This protects payers from unexpected last-minute cancellations.
Value Type Rules
PIX Automatic supports two value types with different modification rules:
Fixed Value Consent:
Payment amount is set at consent creation and cannot be modified
The value field contains the immutable payment amount
To change the amount, the consent must be canceled and a new one created
Variable Value Consent:
Receiver sets minimum_value at creation (immutable)
Payer sets maximum_value during confirmation (can be modified later)
Actual payment amounts can vary between minimum and maximum
Important: Receiver cannot see the payer's maximum_value
Field
Set By
Modifiable
Visible To
minimum_value
Receiver
No
Both
maximum_value
Payer
Yes (by payer only)
Payer only
Retry Logic
Failed payments are automatically retried according to Central Bank rules:
Parameter
Value
Maximum retry attempts
3
Retry period
Up to 7 days
Retry windows per day
Up to 2
Payer notification
Required 24+ hours before retry
Note: Retry logic is handled automatically by the banking provider. Your application will receive webhook notifications for each attempt result.
Consent Management Endpoints
All PIX Automatic endpoints are account-scoped and require JWT authentication.
Base Path:/baas/v1/account/:id/auto-pix
List Consents
GET /baas/v1/account/:id/auto-pix/consents
Retrieves all PIX Automatic consents associated with the account. Returns both consents where the account is the payer and where it is the receiver.
Note: The maximum_value field is only visible to the payer (debtor). Receivers will not see this field.
Response 404 Not Found:
{
"code": "ZPY.PXA.001",
"message": "Automatic Pix consent not found"
}
Confirm Consent
POST /baas/v1/account/:id/auto-pix/consents/:cid/confirm
Confirms or rejects a pending consent. This endpoint is only available to the payer (debtor) and can only be called when the consent is in pending status.
Cancels an active consent. Both payers and receivers can cancel consents, but the impact on scheduled payments differs based on timing (see Business Rules).
These endpoints are used by the receiver (creditor) to initiate recurring payment consents.
Create Consent (Receiver Journey 1)
POST /baas/v1/account/:id/auto-pix/consents
Creates a new PIX Automatic recurrence directly by specifying the debtor (payer) information. The banking provider will send a consent request to the debtor's bank for approval.
Generates a PIX Automatic QR code that encodes recurrence parameters. When a payer scans this QR code with their banking app, the recurrence is created automatically. The receiver's PIX key is required for QR code generation.
Use wildcard patterns to subscribe to PIX Automatic events:
pix.auto.* - All PIX Automatic events
pix.auto.consent.* - All consent events
pix.auto.schedule.* - All schedule events
pix.auto.consent.approved - Specific event only
See the Webhooks section for complete webhook configuration, authentication, and retry policy documentation.
Webhooks
The ZAPPY platform sends real-time webhook notifications to your configured endpoints when banking events occur. These webhooks enable your application to react immediately to PIX payments, withdrawals, refunds, and PIX key status changes without polling our APIs.
Note: Only final transaction states trigger webhook notifications. Intermediate processing states (such as registration or validation) do not generate webhook events.
PIX Automatic is a Central Bank of Brazil innovation that enables automated recurring payments through the PIX instant payment system. This document describes the complete flow, from consent creation to payment execution, including all webhook events, business rules, and architecture details.
PIX Automatic (Pix Automatico) allows payers to pre-authorize recurring debits from their accounts, enabling businesses to automate collection of subscriptions, memberships, utility bills, and other recurring fees through the PIX instant payment system.
What makes PIX Automatic different from regular PIX:
Payments are pre-authorized by the payer through a consent mechanism
Payments execute automatically on a defined schedule without manual intervention
The payer maintains full control to approve, modify, or cancel consents at any time
Full Central Bank compliance with strict rules on scheduling, cancellation, and retry
Core Concepts
Consent (Recurrence)
A consent represents a payer's authorization for recurring debits. It defines:
Who pays and who receives
How often payments occur (frequency)
How much each payment costs (value type and constraints)
When payments start and optionally end
Each consent has a unique recurrence_id that identifies it throughout its lifecycle.
Schedule
A schedule represents an individual payment created from an approved consent. Each payment occurrence generates a schedule entry with its own schedule_id. Schedules track the execution status of each individual payment.
Payer (Debtor)
The account holder who authorizes and pays the recurring charges. The payer:
Approves or rejects consent requests
Can modify notification preferences and maximum values
Can cancel consents and individual schedules
Receiver (Creditor)
The business or individual who receives the recurring payments. The receiver:
Initiates consent requests (creates recurrences)
Can generate QR codes for easy consent setup
Can cancel consents and individual schedules (with earlier cutoff times)
Value Types
Type
Description
Key Rules
Fixed
Same amount every payment
value is set at creation and cannot be modified
Variable
Amount varies per payment
Receiver sets minimum_value (immutable); payer sets maximum_value during confirmation (modifiable)
This flow is triggered when a receiver initiates a consent request.
┌─────────────────────────────────────────────────────────────────────────────┐
│ PAYER JOURNEY 1: WEBHOOK CONSENT CONFIRMATION │
└─────────────────────────────────────────────────────────────────────────────┘
Step 1: Receiver initiates consent request (via API or external system)
↓
Step 2: BaaS provider sends consent confirmation request
↓
Step 3: Your application receives webhook notification
Event: pix.auto.consent.confirm
Payload includes: recurrence_id, search_protocol, receiver info,
frequency, value_type, value constraints
↓
Step 4: Your app displays consent details to the payer for review:
- Receiver name and tax number
- Payment frequency and value
- Validity period (initial_date to final_date)
↓
Step 5: Payer approves or rejects in your app
↓
Step 6: Your app calls POST /auto-pix/consents/{cid}/confirm
{
"search_protocol": "PROTO123456",
"status": "approved", // or "rejected"
"notification": true, // receive alerts before payments
"maximum_value": 15000 // for variable value consents
}
↓
Step 7: BaaS provider processes the confirmation
↓
Step 8: Your application receives result webhook
Event: pix.auto.consent.approved OR pix.auto.consent.rejected
Important Notes:
The payer must review consent details before confirming
The search_protocol from the webhook must be included in the confirmation request
For variable value consents, the payer can set a maximum_value limit
Setting notification: true enables alerts before each payment execution
Payer Journey 2: QR Code Scanning
This flow is initiated when a payer scans a PIX Automatic QR code generated by a receiver.
┌─────────────────────────────────────────────────────────────────────────────┐
│ PAYER JOURNEY 2: QR CODE CONSENT CONFIRMATION │
└─────────────────────────────────────────────────────────────────────────────┘
Step 1: Receiver generates PIX Automatic QR code
↓
Step 2: Payer scans QR code using your app
↓
Step 3: Your app calls GET /auto-pix/qrcode/{hash}
↓
Step 4: ZAPPY returns consent information:
{
"recurrence_id": "REC123",
"search_protocol": "PROTO456",
"receiver": { "name": "...", "tax_number": "..." },
"frequency": "monthly",
"value_type": "fixed",
"value": 29.90
}
↓
Step 5: Your app displays consent details to the payer for review
↓
Step 6: Payer approves or rejects in your app
↓
Step 7: Your app calls POST /auto-pix/consents/{cid}/confirm
(Same as Payer Journey 1, Steps 6-8)
Important Notes:
QR codes contain encoded consent parameters
The search_protocol from the QR code info must be used in confirmation
For variable value consents, the payer can set maximum_value during confirmation
Receiver Journey
The receiver has two ways to initiate a consent:
Receiver Journey 1: Create Recurrence (Direct)
Use this when you know the debtor's information and want to create a recurrence directly.
┌─────────────────────────────────────────────────────────────────────────────┐
│ RECEIVER JOURNEY 1: CREATE RECURRENCE (DIRECT) │
└─────────────────────────────────────────────────────────────────────────────┘
Step 1: Receiver calls POST /auto-pix/consents
{
"tax_number": "98765432100",
"name": "John Doe",
"frequency": "monthly",
"value_type": "fixed",
"value": 29.90,
"initial_date": "2025-02-15",
"pix_key": "receiver@email.com"
}
↓
Step 2: ZAPPY forwards request to the BaaS provider
↓
Step 3: Response:
{
"recurrence_id": "REC123456",
"status": "pending",
"message": "Recurrence created successfully"
}
↓
Step 4: BaaS provider sends consent request to the debtor's bank
↓
Step 5: Receiver's webhook receives confirmation event
Event: pix.auto.consent.confirm
↓
Step 6: Debtor approves consent via their own banking app
↓
Step 7: Receiver's webhook receives approval event
Event: pix.auto.consent.approved
↓
Step 8: Payments execute automatically per frequency
Event: pix.auto.schedule.settled (for each successful payment)
Request Fields:
Field
Type
Required
Description
tax_number
string
Yes
CPF (11 digits) or CNPJ (14 digits) of the payer
name
string
No
Display name of the payer
frequency
string
Yes
weekly, monthly, quarterly, annual
initial_date
string
Yes
Start date (YYYY-MM-DD)
final_date
string
No
End date (YYYY-MM-DD)
value_type
string
Yes
fixed or variable
value
number
Conditional
Required for fixed value type
minimum_value
number
Conditional
Used for variable value type
maximum_value
number
No
Used for variable value type
description
string
No
Description of the recurrence purpose
contract_id
string
No
External contract identifier
pix_key
string
No
Receiver's PIX key (uses account default if omitted)
Receiver Journey 2: Generate QR Code with Recurrence
Use this when you want to generate a QR code that any payer can scan to set up the recurrence.
┌─────────────────────────────────────────────────────────────────────────────┐
│ RECEIVER JOURNEY 2: GENERATE QR CODE WITH RECURRENCE │
└─────────────────────────────────────────────────────────────────────────────┘
Step 1: Receiver calls POST /auto-pix/qrcode
{
"pix_key": "receiver@email.com",
"frequency": "monthly",
"value_type": "fixed",
"value": 29.90,
"initial_date": "2025-02-15"
}
↓
Step 2: ZAPPY generates QR code via BaaS provider
↓
Step 3: Response:
{
"hash_code": "bx7k9m2p4q8r1t5w3y6z0abc",
"qrcode_base64": "iVBORw0KGgo...",
"document_number": 245188468,
"reference": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
}
↓
Step 4: Receiver displays QR code to potential payer
(e.g., on a website, printed invoice, or point-of-sale display)
↓
Step 5: Payer scans QR code with their banking app
↓
Step 6: Payer's bank creates recurrence from QR code data
↓
Step 7: Same lifecycle as Receiver Journey 1 (Steps 5-8)
Request Fields:
Field
Type
Required
Description
pix_key
string
Yes
Receiver's registered PIX key
frequency
string
Yes
weekly, monthly, quarterly, annual
initial_date
string
Yes
Start date (YYYY-MM-DD)
final_date
string
No
End date (YYYY-MM-DD)
value_type
string
Yes
fixed or variable
value
number
Conditional
Required for fixed value type
minimum_value
number
Conditional
Used for variable value type
maximum_value
number
No
Used for variable value type
description
string
No
Description of the recurrence purpose
contract_id
string
No
External contract identifier
tax_number
string
No
Pre-fill payer's CPF/CNPJ
name
string
No
Pre-fill payer's name
Key Differences from Journey 1:
A registered PIX key is required
tax_number is optional (any payer can scan the QR code)
Returns a QR code image (qrcode_base64) and a reference for later lookup
The reference can be used with GET /auto-pix/qrcode/:reference to look up QR code details
Complete Lifecycle
Here is the end-to-end lifecycle of a PIX Automatic recurrence, from creation to payment:
┌─────────────────────────────────────────────────────────────────────────────┐
│ PIX AUTOMATIC - COMPLETE LIFECYCLE │
└─────────────────────────────────────────────────────────────────────────────┘
Phase 1: CONSENT CREATION
─────────────────────────
Receiver creates consent (Journey 1 or Journey 2)
↓
BaaS provider registers the recurrence
↓
Consent status: PENDING
Phase 2: PAYER CONFIRMATION
───────────────────────────
BaaS provider notifies the payer's bank
↓
Webhook: pix.auto.consent.confirm
↓
Payer reviews and decides:
├── Approves → Webhook: pix.auto.consent.approved
│ Consent status: APPROVED
│
└── Rejects → Webhook: pix.auto.consent.rejected
Consent status: REJECTED (terminal)
Phase 3: PAYMENT SCHEDULING (only if approved)
───────────────────────────────────────────────
BaaS provider automatically creates schedules based on frequency
↓
For each scheduled payment:
├── Execution succeeds → Webhook: pix.auto.schedule.settled
│ Schedule status: SETTLED
│
├── Execution fails → Webhook: pix.auto.schedule.failed
│ Schedule status: FAILED
│ (may retry up to 3 times over 7 days)
│
└── Canceled → Webhook: pix.auto.schedule.canceled
Schedule status: CANCELED
Phase 4: CONSENT TERMINATION (optional)
───────────────────────────────────────
Either party cancels the consent:
↓
Consent status: CANCELED
Future schedules: CANCELED (subject to cutoff rules)
Lifecycle Timing Example
For a monthly fixed-value consent starting February 2025:
Date
Event
Status
Jan 20
Receiver creates consent
Consent: pending
Jan 20
BaaS provider sends confirmation request
Webhook: pix.auto.consent.pending
Jan 21
Payer approves consent
Webhook: pix.auto.consent.approved
Feb 15
First payment executes
Webhook: pix.auto.schedule.settled
Mar 15
Second payment executes
Webhook: pix.auto.schedule.settled
Apr 10
Payer cancels consent
Consent: canceled, future schedules: canceled
Webhook Events
All PIX Automatic webhook events are delivered to your configured endpoint via the ZAPPY Relay Service. Events use the pix.auto.* namespace.
Consent Events
pix.auto.consent.pending
Sent when a new consent is created and awaiting payer approval. This is the initial notification for a new recurring payment consent.
Each webhook message includes metadata attributes used for routing and idempotency:
Attribute
Description
Example
event_type
The event type
pix.auto.consent.approved
type
Transaction type
debit
account_id
Resolved account UUID
uuid-string
webhook_id
Unique webhook identifier
uuid-string
correlation_id
Distributed tracing ID
uuid-string
dedup_key
Idempotency key
pix_auto_recurrence:REC123456
Event Filtering
Subscribe to PIX Automatic events using wildcard patterns:
Pattern
Events Matched
pix.auto.*
All PIX Automatic events
pix.auto.consent.*
All consent events (pending, approved, rejected, canceled)
pix.auto.schedule.*
All schedule events (pending, settled, failed, canceled)
pix.auto.consent.approved
Only consent approval events
pix.auto.schedule.settled
Only successful payment events
Business Rules
PIX Automatic operates under strict Central Bank of Brazil regulations. These rules are enforced by the platform and cannot be bypassed.
Scheduling Window
All scheduled payments must fall within the allowed scheduling window:
Constraint
Value
Description
Minimum
D+2
Payment must be scheduled at least 2 business days in advance
Maximum
D+10
Payment must be scheduled no more than 10 business days in advance
Example: If today is January 15th, valid payment dates are January 17th through January 25th.
Requests with payment dates outside this window will be rejected with error code ZPY.PXA.007.
Cancellation Cutoff Times
Different actors have different deadlines for canceling scheduled payments. All times are in America/Sao_Paulo timezone.
Actor
Cutoff Time
Description
Payer
11:59 PM on D-1
Payer can cancel until 1 minute before midnight on the day before payment
Receiver
9:59 PM on D-1
Receiver can cancel until 2 hours before payer cutoff
Example: For a payment scheduled on January 20th:
Payer can cancel until January 19th at 11:59 PM
Receiver can cancel until January 19th at 9:59 PM
Consent Cancellation Impact on Schedules
When a consent is canceled, the impact on existing schedules depends on timing:
Actor
Cancellation Time
D+1 Schedules
D+2+ Schedules
Payer
Any time
Canceled
Canceled
Receiver
Before 10:00 PM
Canceled
Canceled
Receiver
After 10:00 PM
Preserved
Canceled
Important: When a receiver cancels a consent after 10 PM, the next-day (D+1) payment will still be executed. This protects payers from unexpected last-minute cancellations.
Value Type Rules
Fixed Value Consent:
Payment amount is set at consent creation and cannot be modified
The value field contains the immutable payment amount
To change the amount, the consent must be canceled and a new one created
Variable Value Consent:
Receiver sets minimum_value at creation (immutable)
Payer sets maximum_value during confirmation (can be modified later)
Actual payment amounts can vary between minimum and maximum
Important: Receiver cannot see the payer's maximum_value
Field
Set By
Modifiable
Visible To
minimum_value
Receiver
No
Both
maximum_value
Payer
Yes (by payer only)
Payer only
Retry Logic
Failed payments are automatically retried according to Central Bank rules:
Parameter
Value
Maximum retry attempts
3
Retry period
Up to 7 days
Retry windows per day
Up to 2
Payer notification
Required 24+ hours before retry
Retry logic is handled automatically by the BaaS provider. Your application will receive webhook notifications (pix.auto.schedule.failed or pix.auto.schedule.settled) for each attempt result.
