Regulated by the Brazilian Central Bank, Payment Institution

Your Pix infrastructure,
built on our license.

Regulated access to Brazil's Pix and Open Finance networks without needing your own license, and no middleware between your stack and the Central Bank. A regulated proxy, the thin layer companies use to scale.

Get in touch Scale report

Infrastructure

Your infrastructure. Our license.
One thin layer between you and the regulated ecosystem.

Today every regulated path into Pix and Open Finance runs through a heavy middleware stack, abstractions, your operational data flowing into the provider, outsourced support. Cumbuca collapses that stack into a single thin slice: a transparent regulated proxy that talks straight to the ecosystem.

Your infrastructure
Ownership · Control
OFaaS
Proprietary APIs · abstraction layer
Cumbuca Proxy
mTLS · JWS · audit
Data extraction
Your ops data flowing to the vendor
Outsourced support
Tickets · queues · partner SLA
Regulated ecosystem
Pix · Open Finance · Central Bank

What this means

Direct access. Zero lock-in. Full ownership.

Cumbuca sits between your infrastructure and the regulated ecosystem, forwarding signed requests (mTLS · JWS) in both directions without abstracting, storing, or touching your data beyond what the regulation requires.

Your infrastructure
Ownership · Control
Cumbuca Proxy
mTLS · JWS signing · Audit trail
Regulated ecosystem
Open Finance · Pix · Central Bank
01

Direct access

1:1 mapping to the official Open Finance APIs, every endpoint, every parameter. It's not a wrapper. It's a transparent proxy.

02

Zero lock-in

When you get your own license, it's a certificate swap. Your infrastructure stays. Not one line of code changes.

03

Full ownership

You own your infrastructure, your data flows, and your integration logic. We only supply the regulatory bridge.

Cumbuca

Regulated access to Open Finance. No license. No middleware.

A Payment Institution regulated by the Brazilian Central Bank, backed by Y Combinator (S21) and Lightspeed. Three product surfaces, one proxy, no translation layer in between.

01 / Payments

Payment Initiation

Initiate Pix through Open Finance with direct access to the regulated ecosystem. Billing, sweeping, Recurring Pix, every modality, same contract.

  • POST /pix/payments
  • POST /recurring-payments
  • GET /consents
02 / Data

Open Finance Data

1:1 access to accounts, cards, credit, investments and FX data via user consent. Mapped one-to-one to the official endpoints, no translation layer.

  • GET /accounts
  • GET /credit-cards-accounts
  • GET /investments
03 / SCR

SCR access

Queries against Brazil's Credit Information System through Open Finance, under the holder's consent. Delivered inside the same flow your application already uses for data and payments.

  • POST /scr/query
  • GET /scr/report
  • GET /scr/history

How it works

Same payload. Same response. Only the URL changes.

The proxy is layer 7. You sign with your keys, send to the Cumbuca endpoint, and we re-sign with the regulatory certificates. Call semantics stay identical to the official API.

POST https://api.bank.com.br/open-banking/payments/v4/pix/payments Only this changes
Identical request. Only the host changes.
Request · Headers 7 fields · 1:1 
Authorization: Bearer <user-access-token>
Content-Type: application/jwt
x-idempotency-key: a2b0b3d5-9b3e-43f2-a4b7-ec02b4d6c2b2
x-fapi-interaction-id: 93bac548-d2de-4546-b106-880a5018460d
x-fapi-auth-date: 2026-04-17T14:30:00Z
x-fapi-customer-ip-address: 203.0.113.42
x-customer-user-agent: Apple iPhone 17
Request · Body JWS · PS256 · BRSEAL signing 
{
  "iss": "0fdc39da-a699-4f85-90cc-936c7b872791",
  "aud": "https://api.bank.com.br/open-banking/payments/v4/pix/payments",
  "iat": 1745070600,
  "jti": "a2b0b3d5-9b3e-43f2-a4b7-ec02b4d6c2b2",
  "data": {
    "consentId": "urn:bank:f19f84fc-7c07-4b37-ae56-d87027be5cf4",
    "payment": {
      "type": "PIX",
      "amount": { "currency": "BRL", "amount": "150.00" },
      "creditorAccount": { "ispb": "12345678", "number": "87654321" },
      "pix": { "key": "merchant@example.com" }
    }
  }
}
Response · 201 Created -
mTLS handshake -
JWS signature verify -
Central Bank dispatch -
Total Cumbuca overhead -

Traction

3.1 million active consents in six months.

We closed October with a few hundred consents. Today we're at 3.1 M, adding more than 200 thousand a week. The fastest growth curve of any PISP in Open Finance Brasil.

  • 3.1 M Active consents · May 2026
  • +207 k New consents · last week
  • #1 Largest projected PISP in Open Finance by Dec 2026
Active consents, weekly basis (millions) Nov 25 → May 26
Nov 25Dec 25Jan 26Feb 26Mar 26Apr 26

Source: Open Finance Brasil, Citizen Dashboard

Performance

Built for real load.

Running on Erlang/OTP, the same stack behind the world's telecom networks. No single point of failure, self-healing processes, horizontal scale by adding nodes. The proxy operates inside the same operational envelope clients face in production.

0ms
P50 latency added by the proxy
mTLS + JWS verification + dispatch to the regulated ecosystem. Measured under normal production load.
99.99%
Availability SLA
Multi-AZ deployment with automatic failover, near real-time replication, zero-downtime hot upgrades. RTO <4h · RPO <15min.
0k req/s
Sustained throughput under load
Roughly 1.9× the business-hour average of the entire Open Finance Brasil ecosystem, with error rate <0.001%.
Latency added by the proxy
P50
10 ms
P90
17 ms
P99
33 ms

These numbers are the latency our proxy adds on top of the bank's response. End-to-end latency depends on the upstream server, which we don't control.

Erlang/OTP foundation

The same stack that runs telecom switching. Self-healing processes, horizontal scale by adding nodes, no internal single point of failure.

Enterprise-grade infrastructure

Multi-AZ deployment with automatic failover. Near real-time cross-zone replication. Zero-downtime hot upgrades. Full observability coverage, metrics, traces, signed audit logs.

Request the full technical report Load Testing Report, Apr 2026 · v1.0

Flexibility

Your infrastructure, your way.

We're infrastructure-agnostic. The value is regulated access to the ecosystem, not the infrastructure that runs on top. Pick the path that fits your team and your timeline.

A

Build from scratch

Best for: strong engineering teams that want full control.

Build your own infrastructure directly against the official Open Finance APIs. Cumbuca acts as a layer-7 proxy that signs requests with our certificates. You own everything else.

  • Forward-deployed engineers from our team embed with yours during the build
  • Maximum control and customization over every flow, every header, every claim, every retry
  • Zero lock-in: when you get your own license, it's a certificate swap
Your codenode / go / ruby / rust
Your infrastructureAWS · GCP · bare-metal
Cumbuca ProxyL7 · mTLS · JWS
Central BankPix · OF · SCR
Integration: 2–4 months · Proxy SLA: 99.99%
B

Use pre-built infrastructure

Best for: teams that want speed and can evolve to custom later.

Use tested, homologated partner infrastructure running on-premise / BYOC or as managed SaaS, your call. When you want to migrate to your own code, the proxy stays the same.

  • Fully modular, swap modules for your own code as the team grows
  • Two deployment modes: BYOC (your cloud or dedicated environment) or managed SaaS
  • Accelerated time to market, live in weeks, not months
  • Progressive migration to custom as the operation scales
Your productUI / orchestration
Partner infraBYOC · SaaS
Cumbuca ProxyL7 · mTLS · JWS
Central BankPix · OF · SCR
Integration: 4–8 weeks · Same proxy, same SLA

On either path, when you get your own license, the transition is a certificate swap. Zero architecture change.

Value proposition

What this means for your operation.

01

Costs that don't scale prohibitively

Process payments directly in the regulated ecosystem. No intermediary markup per transaction. Direct access means direct economics.

02

In production in weeks, not years

Getting your own Payment Institution license takes 24–36 months. With pre-built infrastructure you go live in weeks; building from scratch, in months. Both paths skip the line.

03

Full data ownership

Your cryptographic keys, your flows, your data. Contractual guarantee of no commercial access. Cumbuca doesn't sell, analyze, or share your data.

04

Raw data for your own engines

1:1 access to Open Finance, with full transactional data and credit operations. Feed your own underwriting, enrichment, and analytics models directly.

05

A platform that ages well

Every new ecosystem capability ships on the same proxy: Recurring Pix, Contactless Pix, Smart Pix, account data, investments, cards.

06

Exit path already defined

When you get your own license, the transition is a certificate swap. Zero infrastructure change. Zero code rewrite.

In the press

Coverage that keeps up with the growth.

Also featured in Benzinga, Hogan Lovells, Finovate, Finsiders, Startups.com.br and 20+ more outlets.

Let's build together

Tell us about your use case.

We get back to you within one business day, with an engineer in the loop from email one. No SDR. No sales filter.

Get in touch See the scale report
Avg. response time
0h
Median integration
0 wks
Engineers in the loop
from
email one