Inter API Documentation

# Getting Started

Overview

This guide covers everything you need to start integrating with Inter's API: authentication, endpoints, IP whitelisting, test credentials, and operating hours.

Inter's API uses Basic HTTP Authentication over HTTPS to secure all API communications. For each request made to MTS web services, user credentials (username and password) must be passed within the SOAP header.

Security Requirements

• ✅ Protocol: HTTPS (TLS 1.2 or higher)
• ✅ Method: Basic HTTP Authentication via SOAP Headers
• ✅ Encoding: Base64 (handled automatically)
• ✅ Credentials: Username and Password provided by Inter
• ✅ IP Whitelisting: Required for both UAT and Production

🔒 IP Whitelisting

Requirements:

• You must provide your IP range for configuration on our test and production servers
• Requests from non-whitelisted IPs will be rejected
• Contact support to whitelist your IPs before starting integration

To whitelist your IPs:

1. Identify your static IP addresses or IP ranges
2. Send the IP information to remittance@inter.co
3. Wait for confirmation that your IPs have been whitelisted
4. Test connectivity from your whitelisted IPs

🧪 Getting Test Credentials

To receive test credentials:

1. Send an email to remittance@inter.co
2. Provide your company name and contact email address
3. Specify if you need credentials for PIX, TED, or USA transactions
4. We will create the test user and send credentials to your email

Test Environment:

• UAT Endpoint: https://test.masspayments.inter.co/partner/api/mts.asmx
• Test Examples: Available in the documentation for PIX, TED, and USA transactions
• Support: Monday-Friday, 8:00-20:00 (Brazil time, UTC-3)

SOAP Header Format

All requests must include the authentication header in the SOAP envelope:

<soap:Header>
  <AuthHeader xmlns="http://mts.geobridge.org/">
    <UserName>your_username</UserName>
    <Password>your_password</Password>
  </AuthHeader>
</soap:Header>

API Endpoints

UAT Operating Hours (Brazil Time)

• Availability: Monday–Friday, 08:00–20:00 (Brazil, UTC−3)
• Weekends: Not available on Saturdays and Sundays
• Holidays: May be unavailable on Brazilian holidays

Authentication Request Fields

SOAP Header (AuthHeader)

Common Body Identification Fields

Most service methods require the following identification fields in the SOAP Body in addition to the AuthHeader:

Credential Management

Obtaining Credentials

• Contact Inter: Reach out to your Inter account manager
• Partner Onboarding: Complete the partner registration process
• Receive Credentials: You'll receive:
  • Username (PartnerID or custom username)
  • Password (secure, randomly generated)
  • WSDL URL (specific to your environment)

Credential Storage Best Practices

• Never hardcode credentials in source code
• Use environment variables or secure configuration files
• Encrypt credentials at rest
• Rotate passwords periodically (recommended: every 90 days)
• Limit access to credentials (need-to-know basis)
• Use secrets management tools (e.g., AWS Secrets Manager, Azure Key Vault)

Authentication Errors

Error Response Example

<soap:Fault>
  <faultcode>soap:Client</faultcode>
  <faultstring>Authentication failed: Invalid username or password</faultstring>
</soap:Fault>

Implementation Examples

Python Example

from zeep import Client
from zeep.wsse.username import UsernameToken
import os

# Load credentials from environment
username = os.getenv('INTER_USERNAME')
password = os.getenv('INTER_PASSWORD')

wsdl_url = 'https://test.masspayments.inter.co/partner/api/mts.asmx?wsdl'

# Create client with authentication
client = Client(wsdl_url, wsse=UsernameToken(username, password))

# Make authenticated request
try:
    result = client.service.GetActiveCountries(PartnerID=12345)
    print('Active Countries:', result)
except Exception as e:
    print('Authentication Error:', str(e))

C# (.NET) Example

using System;
using System.ServiceModel;

// Auto-generated service reference
var client = new MTSServiceClient();

// Set credentials
client.ClientCredentials.UserName.UserName = 
    Environment.GetEnvironmentVariable("INTER_USERNAME");
client.ClientCredentials.UserName.Password = 
    Environment.GetEnvironmentVariable("INTER_PASSWORD");

try 
{
    var result = await client.GetActiveCountriesAsync(12345);
    Console.WriteLine($"Active Countries: {result.Length}");
} 
catch (FaultException ex) 
{
    Console.WriteLine($"Authentication Error: {ex.Message}");
}

Security Checklist

Before going to production, ensure:

• ✅ Credentials are stored securely (not in source code)
• ✅ HTTPS is enforced (no HTTP fallback)
• ✅ TLS 1.2 or higher is configured
• ✅ Credentials are rotated regularly
• ✅ Failed authentication attempts are logged
• ✅ Rate limiting is implemented (to prevent brute force)
• ✅ IP whitelisting is configured (if required by Inter)
• ✅ Credentials are different between sandbox and production

Rate Limiting

Inter implements rate limiting to protect the API:

• Maximum requests: 100 requests per minute per partner
• Burst limit: 10 requests per second
• Exceeded limit response: HTTP 429 (Too Many Requests)

Handling Rate Limits

async function makeAuthenticatedRequest(retries = 3) {
    try {
        const result = await client.GetActiveCountries({ PartnerID: 12345 });
        return result;
    } catch (error) {
        if (error.statusCode === 429 && retries > 0) {
            // Wait and retry
            const waitTime = parseInt(error.headers['retry-after']) || 60;
            console.log(`Rate limited. Waiting ${waitTime} seconds...`);
            await new Promise(resolve => setTimeout(resolve, waitTime * 1000));
            return makeAuthenticatedRequest(retries - 1);
        }
        throw error;
    }
}

Support

• Email: remittance@inter.co
• Email: marcos.lanzoni@inter.co

Last Updated: November 5, 2025 Version: 2.0