Developers

API-first infrastructure for Brazilian fintechs.

Build with Swepay APIs. mTLS certificates today, identity and passwordless on the way. REST, JSON, JWT, sa-east-1. No SDK lock-in, no proprietary protocols, no enterprise floor.

Start with the quickstartTry CA Manager on AWS Marketplace

Quickstart

From subscription to first certificate in five minutes.

Subscribe to CA Manager on AWS Marketplace, receive your tenant credentials, initialize your CA, and issue the first certificate, all via REST.

What you need

  • An AWS account with billing enabled
  • Subscription to CA Manager on AWS Marketplace (5-minute setup)
  • JWT bearer token (delivered after subscription)
  • A REST client, curl, Postman, HTTPie, or any HTTP library

  1. 1. Subscribe via AWS Marketplace

    Pick the tier that fits your volume. You can change tiers later without losing data.

    After subscription, you receive your tenantId and a JWT bearer token via the Marketplace welcome email. The JWT is what authenticates all API calls.

  2. 2. Initialize your CA

    One-time setup. Generates your tenant's root Certificate Authority. Root key stays in managed cryptographic custody within Swepay infrastructure, not extractable, not accessible to operators in normal operations.

    bash
    curl -X POST https://ca.swepay.com.br/v1/ca/initialize \
  -H "Authorization: Bearer ${SWEPAY_JWT}" \
  -H "Content-Type: application/json" \
  -d '{
    "commonName": "Your Fintech Root CA",
    "organization": "Your Fintech S.A.",
    "country": "BR",
    "validityYears": 10
  }'

  3. 3. Issue your first certificate

    Identity attributes go in, certificate plus private key come out, in four delivery formats on the same response.

    bash
    curl -X POST https://ca.swepay.com.br/v1/certificates \
  -H "Authorization: Bearer ${SWEPAY_JWT}" \
  -H "Content-Type: application/json" \
  -d '{
    "clientId": "partner_001",
    "commonName": "partner.example.com",
    "organization": "Partner Inc",
    "country": "BR",
    "validityDays": 365,
    "responseFormat": "Text",
    "passwordProtected": true
  }'

  4. 4. Hand the certificate to your partner

    Pick the delivery format that fits your partner's runtime. PEM for most Unix/Linux stacks. PFX (PKCS#12) with the generated password for Windows/.NET, Java keystores, or mobile.

From here, the full lifecycle, query status, renew, revoke, list, monitor expiring, is just more API calls. The full reference is below.

Architecture

Two API surfaces, separated by purpose.

CA Manager exposes two distinct API surfaces. Each has its own domain, its own auth model, its own caching strategy. This separation matters when you're operating PKI at production scale.

Administrative API

Domain
ca.swepay.com.br
Auth
JWT bearer (per-tenant)
Caching
No edge caching, direct origin
Use
Lifecycle operations: initialize CA, issue, renew, revoke, query, list, monitor expiring.
Audience
Your fintech's backend services. Authenticated, rate-limited, audit-logged.

PKI Infrastructure (CDN)

Domain
ca-cdn.swepay.com.br
Auth
Public, no authentication
Caching
Aggressive edge caching
Use
CRL distribution, OCSP responses, CA certificate retrieval.
Audience
Your partners' mTLS clients during TLS handshake. Public by design, these are the artifacts that prove certificate validity to the world.

Downtime of the administrative API does not break revocation validation on partner side. Your partners' mTLS clients continue to validate against the CDN even if the issuance API is undergoing maintenance. This is how PKI infrastructure is supposed to be built.

API reference

Administrative API endpoints.

Base URL: https://ca.swepay.com.br. All requests authenticated with Authorization: Bearer <JWT>. Content type: application/json. Errors follow RFC 7807 Problem Details format.

POST/v1/ca/initializeInitialize tenant's root Certificate Authority

One-time per tenant. Returns CA certificate PEM and CA UUID.

POST/v1/certificatesIssue a new client certificate

Server generates key pair. Returns certificate + private key in four formats (PEM inline, PEM URL, PFX base64, PFX URL).

GET/v1/certificatesList all certificates for authenticated tenant

Returns array of CertificateSummary. Use for inventory views.

GET/v1/certificates/{certificateId}Get full certificate details

Returns CertificateDetail with PEM, serial, expiration countdown, revocation info if applicable.

POST/v1/certificates/{certificateId}/renewRenew an existing certificate

Issues new certificate with same attributes, new validity. Original remains valid until natural expiration.

POST/v1/certificates/{certificateId}/revokeRevoke a certificate

Uses RFC 5280 reason codes (KeyCompromise, Superseded, CessationOfOperation, etc). CRL updated within minutes.

GET/v1/certificates/expiringList certificates expiring within a window

Use for proactive renewal automation. Returns array with daysUntilExpiry per certificate.

POST/v2/certificatesIssue certificate with custom X.509 extensions

Like POST /v1/certificates, but accepts customExtensions object, up to 10 key-value pairs embedded as OID extensions.

POST/v2/certificates/{certificateId}/renewRenew certificate preserving custom extensions

Same as /v1 renew, but propagates custom extensions from original.

Full OpenAPI spec at ca.swepay.com.br/docs/openapi.json, load it into Postman, Insomnia, Bruno, or any OpenAPI-compatible tool.

PKI infrastructure

Revocation and trust artifacts on the CDN.

Base URL: https://ca-cdn.swepay.com.br. Public, no authentication. Aggressive edge caching with HTTP Last-Modified and ETag headers. Use these endpoints from your partners' mTLS clients, not from your administrative backend.

GET/v1/tenants/{tenantId}/crlCertificate Revocation List (DER format)

DER-encoded CRL. Updated automatically when certificates are revoked. Cacheable per HTTP semantics.

HEAD/v1/tenants/{tenantId}/crlCRL freshness check

Returns Last-Modified and ETag without body. Use to check if CRL changed before redownloading.

POST/v1/tenants/{tenantId}/ocspOCSP responder (RFC 6960 standard)

Receives DER-encoded OCSP request, returns DER-encoded OCSP response. What openssl ocsp -url ... does by default.

GET/v1/tenants/{tenantId}/ocsp/{base64UrlRequest}OCSP-over-GET (RFC 6960 §A.1)

OCSP request encoded as base64url in path. Enables HTTP cacheability of OCSP responses.

GET/v1/tenants/{tenantId}/ca.pemTenant CA certificate (PEM)

Public CA cert. Use as truststore root on your partners' clients.

HEAD/v1/tenants/{tenantId}/ca.pemCA certificate freshness check

Useful before CA rotation events. Returns headers without body.

Validate a certificate via OCSP from the partner side

Most TLS libraries do this automatically when configured. Manual validation example:

bash
# Step 1: Fetch the CA cert
curl https://ca-cdn.swepay.com.br/v1/tenants/${TENANT_ID}/ca.pem > ca.pem

# Step 2: Validate a partner certificate via OCSP
openssl ocsp \
  -issuer ca.pem \
  -cert partner-cert.pem \
  -url https://ca-cdn.swepay.com.br/v1/tenants/${TENANT_ID}/ocsp \
  -resp_text

Authentication

JWT bearer, per tenant.

The administrative API uses JWT bearer tokens issued by Swepay's identity provider. After subscribing on AWS Marketplace, you receive your tenant credentials and JWT via the welcome email. PKI infrastructure endpoints (CDN) require no authentication.

Token format

Standard RFC 7519 JWT, signed by Swepay's identity provider. Token contains your tenantId claim and scope information. Pass it as Authorization: Bearer <jwt> on every administrative API call.

Token rotation

Tokens have a finite validity. Rotation procedure and refresh endpoint are documented in the welcome material delivered post-subscription. Plan rotation into your automation.

Errors

Missing or invalid JWT returns 401 Unauthorized with RFC 7807 Problem Details body. Expired JWT returns 401 with expired_token error code, your client should refresh and retry.

Error model

RFC 7807 Problem Details, end to end.

Errors are returned as application/problem+json per RFC 7807. HTTP status code reflects the class of error; the body has machine-readable details.

400 Bad Request
Validation failed (missing fields, invalid format, business rule violation).
401 Unauthorized
JWT missing, invalid, or expired.
404 Not Found
Resource (certificate, CA) not found in your tenant.
409 Conflict
Operation conflicts with current state (e.g., initializing a CA that's already initialized, revoking an already-revoked certificate).
500 Internal Server Error
Unexpected server-side failure. Includes a correlation ID for support.

Example error response

http
HTTP/1.1 400 Bad Request
Content-Type: application/problem+json

{
  "type": "https://ca.swepay.com.br/errors/validation",
  "title": "Validation failed",
  "status": 400,
  "detail": "ValidityDays must be greater than 0",
  "errors": [
    { "field": "validityDays", "message": "Must be greater than 0" }
  ]
}

Under the hood

What's running behind the API.

If you're going to integrate with us, you'll want to know what's powering the responses you get back.

Stable, versioned API surface

Every endpoint carries an explicit version path (/v1/, /v2/). Breaking changes ship on a new version with a deprecation window, your existing integration keeps working. The OpenAPI spec is the contract.

Managed serverless compute

The administrative API runs on managed serverless compute. Auto-scaling, regional failover, zero infrastructure for you to manage on our side.

sa-east-1 by default

All Swepay services run in São Paulo. Your data stays in Brazil unless you explicitly choose otherwise (there is no 'otherwise' today).

Managed key custody for root keys

Your tenant's CA root key is generated inside a managed cryptographic key store and not extracted in normal operations. Signing operations happen via managed cryptographic operations. The key is not accessible to Swepay operators in normal operations, not exportable, and not visible in logs.

Dedicated CDN for PKI artifacts

CRL, OCSP responses, and CA certs are served from ca-cdn.swepay.com.br, a separate CDN distribution from the administrative API. Aggressive edge caching with proper HTTP cache headers. Partners' mTLS handshakes are not coupled to the administrative API's availability.

Audit log, immutable

Every API call is logged with timestamp, tenant, principal, action, and result. Logs are retained per your subscription tier (30 days to 1 year). When an auditor asks, you have evidence.

Build with Swepay.

Subscribe and integrate

Subscribe to CA Manager on AWS Marketplace. JWT credentials in your inbox in 5 minutes. Plans start at $199/month.

Subscribe on AWS Marketplace

Request a demo first

Want to see the API in action before subscribing? Request a 30-minute guided demonstration.

Request a demo

Read the full spec

OpenAPI 3.1.0 spec is public. Load it in your favorite tool, Postman, Insomnia, Bruno, Scalar.

Open the OpenAPI spec

Talk to engineering

Questions about volume contracts, custom extensions, or integration scenarios that don't fit the standard quickstart?

Email engineering