Authentication
Instructions for authenticating with Delfinance APIs.
Security requirements (Production)
To consume the HTTP APIs in the production environment, your integration must meet all requirements below:
-
Account identification
- Send the account number in the header:
x-delfinance-account-id
- Send the account number in the header:
-
API key
- Send the API key in the header:
x-delbank-api-key
- Send the API key in the header:
-
mTLS (Mutual TLS)
- The connection must use mTLS, i.e., TLS with a client certificate.
- You must configure the client certificate and private key in your stack (gateway, application, SDK, source code, etc.).
Required in production from February/2026 onward.
4. IP allowlist (static egress IP)
- You must provide in advance the fixed public outbound (egress) IPs used by your services.
- These IPs will be added to our allowlist (permitted list) for production access.
- It is the client’s responsibility to ensure these IPs do not change and that all requests originate exclusively from those same IPs; requests coming from IPs outside the allowlist will be rejected.
Note: HTTP headers are case-insensitive, but we recommend using the exact header names above for consistency.
Staging environment (Sandbox)
In Sandbox, mTLS and IP allowlisting are not required.
You must still use:
x-delfinance-account-idx-delbank-api-key
For Sandbox testing, you may use one of the accounts below (with their respective API keys):
| Account ID | API Key |
|---|---|
| 31712 | PJPyJ2xGmyB9oDHyNIUwNOt1dgpgolBwcE16ybaKD5rYEc8ujLtarBP0nNw2FKdgK+5YJFciFwTdORlZsdaTzjEbKN5ut+Ag4xGy69bbtXJmzkzRDHry9ubYbMW4xFMb |
| 29823 | PJPyJ2xGmyB9oDHyNIUwNOt1dgpgolBwcE16ybaKD5q5eXIoHXNudlu+EaCcwXyLnryGdeBNfqofzLQe9f7s/iMVnsMZrbAPO/cYn6pTQEHVErYL080/hmZYV8faI89D |
| 30422 | PJPyJ2xGmyB9oDHyNIUwNOt1dgpgolBwcE16ybaKD5pqVEGTBg/p+APpf4ALsiVmjdB8Qh1tgmKPCyx1kSOz7Hd9IsepYPj6a0odInh0gT5hycP6CbnVo7+9TxvjnCtS |
info
📘 Alternatively, you can request an individual API key via support: [email protected].