Skip to main content
The kycert REST API gives your systems direct access to KYC/AML bureau checks for Brazilian FX compliance. Send a CPF or CNPJ, receive a structured decision — APPROVED, BLOCKED, PENDING_REVIEW, or PARTIAL — and act on it in real time via webhook. All requests go to a single base URL: 
https://admin.kycert.com.br/api/v1
You do not need to understand the underlying data sources, risk rules, or bureau logic. Your compliance officer configures those in a template; you pass the template_id and the API handles the rest. The typical end-to-end time — from POST /bureau/runs to receiving a webhook with the final decision — is 5 to 30 seconds.

What you can do with the API

Run KYC checks

Trigger a bureau run against a CPF or CNPJ using a compliance-configured template. Receive a decision and risk band on completion.

Register customers

Attach an external_id to every run to map bureau results back to your own customer records without storing sensitive data on your side.

Retrieve results

Query run status, decision, and full check-level analysis at any time via GET /bureau/runs/:id and GET /bureau/runs/:id/analysis.

Download compliance reports

Access detailed per-source results and risk analysis for audit trails, using GET /bureau/runs/:id/detail (requires detail:read scope).

Base URL

Every API endpoint is available under the same base URL regardless of environment: 
https://admin.kycert.com.br/api/v1
The environment — production or sandbox — is determined by the prefix of your API key, not by the URL. Both environments use identical endpoint paths and response formats.

Authentication

All requests require an X-API-Key header containing your kycert API key: 
X-API-Key: sk_live_...
You can also use Authorization: Bearer sk_live_... as an alternative. See Authentication for instructions on creating keys, understanding scopes, and revoking compromised keys.

API version

The current stable API version is 2026-06-03. Pin this version in your requests by including the x-kycert-api-version header to ensure breaking changes never affect your integration: 
x-kycert-api-version: 2026-06-03
Omitting the header uses the latest version, which may receive breaking changes. Pinned versions are guaranteed stable for at least 12 months after any deprecation notice. Contact support for the full version history and breaking change policy.

Environments

kycert provides two environments. Your API key prefix determines which environment each request targets — there are no separate URLs to manage.
EnvironmentBase URLKey prefix
Production (live)https://admin.kycert.com.br/api/v1sk_live_...
Sandbox (test)https://admin.kycert.com.br/api/v1sk_test_...
The sandbox uses the same endpoints, request formats, and webhook delivery as production. Runs against sandbox keys return deterministic fixture data and do not consume bureau credits. See Sandbox for test CPFs and CNPJs with known outcomes.

Quick example

The following request creates a bureau run for a CPF using a live API key: 
curl -X POST https://admin.kycert.com.br/api/v1/bureau/runs \
  -H "X-API-Key: sk_live_your_key_here" \
  -H "Content-Type: application/json" \
  -H "x-kycert-api-version: 2026-06-03" \
  -d '{
    "template_id": "550e8400-e29b-41d4-a716-446655440000",
    "subject": {
      "type": "pf",
      "doc": "12345678901",
      "name": "João Silva"
    },
    "external_id": "cust_abc123"
  }'
A successful response returns the run ID and an estimated completion time: 
{
  "run_id": "550e8400-e29b-41d4-a716-446655440000",
  "status": "queued",
  "estimated_seconds": 15,
  "livemode": true
}
When the bureau run completes, kycert delivers a signed run.completed webhook event to your configured endpoint with the final decision and risk_band.

Next steps

  • Authentication — create API keys, understand scopes, and follow key security best practices.
  • Sandbox — test your integration with deterministic fixture documents before going live.
  • Errors — understand error codes, rate limiting, and idempotency for safe retries.