1. Use idempotent transaction IDs
Always send a unique and immutable
transactionId created by your system.
Treat it as your idempotency key:
- If you retry a request due to timeout, reuse the same ID.
- If the first attempt succeeded, the Pix Plugin will return the same result.
- If the first attempt failed before processing, the retry will create the transaction exactly once.
- Duplicate ledger postings
- Double debits
- Manual operational fixes
- Reconciliation inconsistencies
2. Rely on webhooks for final transaction status
A
200 OK from the API does not guarantee the Pix was completed.
It only means the request entered the orchestration flow.
The authoritative status is the webhook:
- Displays final status to the user only after webhook confirmation
- Persist webhook status in your system
- Handle both success and failure notifications
3. Validate webhook authenticity
Every webhook includes an HMAC signature (e.g.,
X-Signature).
Best practices:
- Store the secret in a vault
- Recompute the HMAC using the raw request body
- Compare with the header
- Reject and log mismatches
- Fake callbacks
- Tampered payloads
- Unauthorized requests hitting your endpoint
4. Design for failure and retries
Pix is instant; the network around it is not. Expect failures in:
- PSTI / direct provider connectivity
- Telecom / SMS delivery (for key confirmation)
- Network timeouts
- Internal ledger validations
- Limit and anti-fraud checks (regulated)
- Implement clear retry policies (exponential backoff, controlled loops)
- Never retry blindly
- Surface actionable messages to the user
- Log all failures with correlation IDs
- Treat “pending” as a normal intermediary state
5. Monitor pending transactions & background jobs
A Pix can enter PENDING while waiting for:
- Provider processing
- SPI acknowledgment
- Webhook delivery
- Retry cycles
- Retry callbacks
- Reconcile intermediate states
- Detect stuck operations
- Monitor pending transactions regularly
- Configure alerts for excessive retry attempts
- Integrate logs, metrics, and traces for observability
6. Keep Pix keys and customer data synchronized
Because keys are tied to identity:
- If a user changes phone/email → update or remove associated Pix keys
- Keep CRM records aligned with DICT data
- Remove outdated keys to avoid misrouting
- For institutions using DICT: Ensure portability and ownership claims follow BACEN rules
- Payments to wrong recipients
- MED cases due to incorrect keys
- Support friction
7. Respect SLA expectations and time windows
Pix settlement occurs in up to 10 seconds, but legal SLAs matter too. Design your UX to respect:
- Maximum SPI tolerances
- Nighttime limit adjustments (20:00–06:00)
- Customer-driven limit reduction delays (immediate)
- Customer-driven limit increases (may require authentication or waiting period)
- “Processing…” while awaiting confirmation
- “Try again” guidance for limit breaches
8. Implement reconciliation and accounting validation
Reconciliation closes the loop between:
- Your system
- The Pix Plugin
- SPI settlement
- Ledger postings (Midaz)
- Confirm every settled Pix using your webhook log
- Match every Pix ID with a ledger posting
- Compare daily summaries with provider/SPB outputs
- Flag any mismatch for manual review
9. Test end-to-end with realistic flows
Before going live, simulate:
- Cash-in and cash-out
- High-value limits
- Invalid keys
- Expired QR Codes
- Refunds (inbound + outbound)
- MED-related refund triggers
- Webhook downtime
- API timeout and retry patterns
- Correct ledger postings
- Correct Pix status transitions
- Proper webhook handling
- Proper limit enforcement
- Proper accounting behavior
10. Prepare your support and operations teams
Support teams should understand:
- Pix timeframes (including night limit rules)
- Difference between “initiated”, “pending”, “completed”, “refunded”, “failed”
- How to read E2E IDs
- How to track DICT issues
- When MED applies vs normal refunds