To access the API, you need to request an authentication token via the OAuth2 protocol using the client credentials. The API requires the use of an MTLS (Mutual TLS) certificate for mutual authentication, and you must also disable SSL verification.

Important: Only 10 requests per minute are accepted, otherwise null will be returned.

Step-by-Step

Obtainclient_id andclient_secret :
The required credentials (client_id and client_secret) can be obtained directly by accessing the finance.pagstar.com portal. Once logged in, you can generate or retrieve these credentials, which will be used to authenticate API requests.

Obtain the MTLS Certificate:
To obtain the MTLS certificate required for mutual authentication, the client must contact Pagstar. The Pagstar team will provide the certificate (.crt) and private key (.key) files, which must be used to ensure secure communication with the API.
Disabling SSL Verification:
Since the API uses a validated SSL certificate, you must disable SSL verification when making requests.

curl --location 'https://api.pix.pagstar.com/oauth/token' \
--header 'Content-Type: application/json' \
--data '{
    "grant_type" : "client_credentials",
    "client_id" : "xxxxxxxx",
    "client_secret" : "yyyyyyy"
}' \
--cert /path/to/your-certificate.crt \
--key /path/to/your-private-key.key \
-k

Expected Response:
If the request is successful, the response will be a JSON object containing the access_token, which should be used in subsequent requests to the API. The default values are:

access_token: The access token to be used for authenticating future requests.
expires_in: The token expires by default in 5 minutes (300 seconds).
refresh_expires_in: The refresh token expiration time is 0 by default.
token_type: The type of token, which will always be Bearer.

Requirements

MTLS Certificate: The client must contact Pagstar to receive the necessary .crt (certificate) and .key (private key) files for mutual authentication.
OAuth Credentials: client_id and client_secret can be obtained from the finance.pagstar.com portal.
Disable SSL Verification: Ensure SSL verification is disabled when making requests, as the API already has a validated SSL certificate.

Add MTLS Certificate in postman to make tests

The MTLS certificate is mandatory for every request in the Pagstar APIs.
It is important to note that we will provide specific certificates for the cash-in API (https://api.pix.pagstar.com) and specific ones for the cash-out API (https://secureapi.pagstar-prod.onz.software).
Follow the steps below to configure the certificates for each API in your Postman:
- File >>> Settings (or Ctrl+Comma)
  - Certificates >>> Add Certificate..
  - Add the base url of the api to "Host", in this case https://api.pix.pagstar.com . Place the .crt and .key files we provided in the respective fields. And click in "add"