1. Authentication

• Is a digital certificate being used for the connection?
• Is the token expiration time being observed?
• Has a caching strategy been developed for token use within the validity period?
• Does the caching strategy comply with the architecture of the platform being integrated (e.g., distributed architecture with multiple instances)?
• Has token security been taken into account?
• Are appropriate measures in place to handle possible authentication failures?

2. Webhook

• Is the callback URL operating exclusively over the HTTPS protocol?
• Have measures been defined to mitigate a potential DoS attack directed at the callback URL?
• Are failures in the process being properly handled and reported?
• Is there a monitoring and logging strategy in place?

3. Charges and Payments

• Is the authorization token being retrieved from the cache?
• Is a digital certificate being used for the connection?
• Is the charge/payment status being validated?
• Is the txId/e2eId being stored as a means of association?

4. Queries

• Is the authorization token being retrieved from the cache?
• Is a digital certificate being used for the connection?
• Is there a refund in the transaction being queried?
• Is the payment amount being validated?

5. Compliance

• Is the token limit being respected?
• Is the number of operations per minute within the expected range?
• Is the number of Pix operation queries equal to the number of charges created?