Skip to main content

Authentication

Public server-to-server requests from external applications use Client Credentials.

Your PredictaID administrator provides:

  • API base URL for each environment.
  • clientId.
  • clientSecret.
  • Webhook signing secret.

Use different credentials for sandbox, staging, and production.

Headers

Include the following headers in your HTTP requests:

  • x-client-id: Your Client ID
  • x-client-secret: Your Client Secret
x-client-id: client_abc123
x-client-secret: your_client_secret
Content-Type: application/json

Note: Client applications are generated and managed in the Developers > My Apps section of the dashboard by authorized operators.

Public vs Operator APIs

Client credentials are used by public integration endpoints such as KYT ingestion and legacy transaction submission.

Dashboard/operator APIs use user authentication and permissions. They are not the same contract as the public client-credential APIs and should not be called from customer integrations unless PredictaID explicitly enables that integration path.

Secret Handling

  • Store clientSecret in a backend secret manager.
  • Never include the secret in browser JavaScript or mobile apps.
  • Do not log credentials, full CPF/CNPJ, or raw bureau data.
  • Rotate credentials when a secret is exposed or an application is decommissioned.
  • Use HTTPS for all requests.

Example Request

curl -X POST "https://{api-host}/kyt/transactions/ingest" \
  -H "Content-Type: application/json" \
  -H "x-client-id: client_abc123" \
  -H "x-client-secret: $PREDICTAID_CLIENT_SECRET" \
  -d '{"transactionId":"order_100045","type":"PIX_TRANSFER","channel":"MOBILE_APP","amount":1250.75,"currency":"BRL","occurredAt":"2026-05-06T13:30:00.000Z","origin":{},"destination":{}}'

Response Codes

  • 401 Unauthorized: Invalid Client ID or Secret.
  • 403 Forbidden: Application is disabled or scope is insufficient.
  • 429 Too Many Requests: Rate limit exceeded.

For request/response examples and go-live checks, see Integration Reference.