Choose our packages according to your needs

A validation API allows companies to automatically verify if CPFs and CNPJs are valid, officially exist, and are active with the Brazilian Federal Revenue. This prevents fraud, ensures regulatory compliance, and automates KYC (Know Your Customer) processes. Use cases include: customer validation in e-commerce during checkout, digital account opening in fintechs, driver onboarding in mobility apps, remote employee hiring for international companies, and invoice issuance for cross-border payments. The API returns not only whether the document is valid, but also official data such as full name, company name, address, and registration status, enabling cross-validation and inconsistency detection essential for operating legally in Brazil.

Checksum validation is a mathematical calculation (mod-11 algorithm) that verifies if the last two digits of CPF/CNPJ are mathematically correct. This validation is instant and can be done offline, but only confirms the format is valid - it doesn't guarantee the document exists or is active. Federal Revenue query goes beyond: it accesses the Brazilian government's official database to confirm the document was actually issued, is active (not cancelled or suspended), and returns complete data about the holder. Our API combines both approaches: first validates checksums locally (if invalid, rejects immediately at no cost), then queries Federal Revenue only for documents with valid format, optimizing both performance and cost-efficiency while ensuring comprehensive validation.

Authentication uses a token-based system generated in your control panel after registration. Each HTTP GET request includes your unique token directly in the URL: api.cpfcnpj.com.br/{your_token}/{package_id}/{cpf_or_cnpj}. The token automatically identifies your account and controls credit consumption in real-time. You can generate multiple tokens for different applications or environments (production, staging, development) and revoke them instantly via dashboard if security is compromised. We don't use header-based authentication to simplify integration, allowing testing via browser or curl without complex configurations. No OAuth or complicated handshakes required - just include your token in the URL.

Average response time is 0.4 to 2 seconds for both CPF and CNPJ queries. Variation depends on load at Federal Revenue servers, which can fluctuate especially during peak business hours (2pm-5pm Brasília time). We recommend setting a 60-second timeout in your HTTP requests to accommodate occasional slowdowns in government systems. Important: data is always real-time D+0 (updated same day). We never use cache or intermediate databases to "artificially speed up" responses, ensuring you always receive the most current information available from the Federal Revenue. Integrity over speed.

For CPF, the API returns: (1) Full name of holder as per official registration, (2) Date of birth, (3) Mother's full name (important field for additional anti-fraud verification), (4) Registration status (active, suspended, cancelled, null, pending regularization), (5) Federal Revenue registration date. For CNPJ, returns: (1) Legal business name (razão social), (2) Trade name if different from legal name (nome fantasia), (3) Primary economic activity code (CNAE), (4) Complete registered address (street, number, complement, neighborhood, city, state, ZIP code), (5) Registration status, (6) Opening date, (7) Share capital, (8) Secondary economic activities, (9) Legal nature (sole proprietorship, LLC, corporation, etc). All data comes directly from Federal Revenue without modifications or enrichment. Raw, official data only.

Simplified 4-step process: (1) Register in 30 seconds without credit card requirement for trial, (2) Copy your token that appears immediately in dashboard after login, (3) Make GET request to api.cpfcnpj.com.br/{token}/{package}/{cpf_or_cnpj} (can test directly in browser), (4) Receive JSON with complete data. Our technical documentation (/dev/) has ready-to-use copy-paste examples in PHP, Python, Node.js, Java, Ruby, Go, and cURL. Technical support answers questions in under 4 hours during business hours (UTC-3) via email or live chat in English.

Yes, we maintain rigorous compliance with LGPD (Brazilian General Data Protection Law, articles 7, 11, and 46) and GDPR (General Data Protection Regulation), validated by our ISO/IEC 27001:2022 (Information Security Management), ISO/IEC 27701:2025 (Privacy Information Management), and ISO/IEC 37301:2021 (Compliance Management System) certifications. All data transmitted via HTTPS with TLS 1.3, we implement end-to-end encryption (E2EE), don't store personal data queried (only technical request logs without PIIs), maintain dedicated Data Protection Officer (DPO) at [email protected], operate with customized DPA (Data Processing Agreement) including EU Standard Contractual Clauses for international clients, and conduct annual independent audits. We provide complete compliance documentation for corporate due diligence, quarterly conformity reports, and verifiable ISO certificates for regulated clients.

Yes, we hold three internationally recognized ISO/IEC certifications, all audited annually by independent accredited bodies: (1) ISO/IEC 27001:2022 - Information Security Management System (Certificate Q7LUQTCU20251113BRAIS1Z1): comprehensive controls including multi-factor authentication, RBAC (role-based access control), AES-256 encryption for data at rest, E2EE for data in transit, certified data centers with 24/7 monitoring, dedicated SOC (Security Operations Center), incident response plans, and business continuity procedures. (2) ISO/IEC 27701:2025 - Privacy Information Management (Certificate Q7LUQTCU20251113BRAPI15R): full alignment with LGPD/GDPR, Privacy by Design and by Default in all systems, documented procedures for data subject rights (access, rectification, erasure, portability), DPIAs (Data Protection Impact Assessments) for new processing activities, complete records of processing activities per LGPD Art. 37. (3) ISO/IEC 37301:2021 - Compliance Management System (Certificate Q7LUQTCC20251113BRACM1X7): organizational compliance culture, appointed DPO, register of all applicable legal obligations, continuous team training, regular audits, and confidential whistleblowing mechanisms. All certifications undergo annual surveillance audits ensuring continuous compliance with evolving standards.

No. For GDPR/LGPD compliance, we don't store personal data returned by queries. We maintain only technical request logs (timestamp, token used, query type, HTTP status code) without including PIIs (Personally Identifiable Information). These logs are necessary for debugging, technical support, and billing, but don't contain queried CPF/CNPJ nor personal data returned. Logs are retained for 90 days then automatically deleted. Enterprise clients can request copies of their own logs for internal auditing. We never share, sell, or use query data for secondary purposes. Your customers' data stays private.

Recommended anti-fraud strategies: (1) Cross-validate name returned by API with name on ID document submitted (passport/driver's license) - divergences indicate possible fraud, (2) Compare name on credit card with CPF name during checkout, (3) Use date of birth as second validation factor when available, (4) Verify mother's name consistency if your system collects this information, (5) Implement velocity checks detecting same CPF used multiple times in short period, (6) Monitor suspicious patterns like sequential CPFs, same IP making multiple attempts, or high volume of cancelled/suspended CPFs. Combining cadastral validation via API with sector-specific business rules, clients report 60-80% fraud reduction in the first quarter of implementation.

SERPRO is the official Brazilian government company providing Federal Revenue data with maximum institutional authority, but has slow bureaucratic processes (contracting can take weeks), premium enterprise pricing (BRL 0.40+ per query converted to ~$0.08 USD), and complex integration with extensive technical documentation. CPF.CNPJ offers the same official Federal Revenue data with practical advantages: (1) Simplified integration in 5 minutes without bureaucracy, (2) Developer-focused documentation with practical examples in English, (3) Typically faster response times, (4) Competitive pricing, (5) Free trial without credit card, (6) Agile technical support in English and Portuguese responding in minutes with 24-hour emergency support. Better for international companies.

Leaked databases (often sold illegally on dark web) have critical problems: (1) Partial coverage of only 70-85% of existing documents with random gaps, (2) Outdated data from months or years ago - doesn't reflect cadastral changes (address updates, cancellations, regularizations), (3) Illegality - usage violates GDPR/LGPD exposing your company to fines up to 4% of annual revenue (GDPR) or 2% (LGPD), (4) Reputational risk and impossibility to prove compliance in regulatory audits. Screen-scraping the Federal Revenue website is also problematic: (1) Breaks frequently when website changes layout, (2) Requires captcha solving for each request, (3) Violates terms of service, (4) IP can be permanently blocked. Our API provides legal, reliable, and auditable access to the same official source.

We offer flexible plans with competitive pricing based on query volume. Our packages include different quantities of queries with decreasing prices according to the contracted volume. Queries never expire and are valid indefinitely. When upgrading, remaining balance is credited proportionally. We accept credit cards, bank slip (boleto), and PIX payments. For enterprise volumes and custom pricing with dedicated SLA, contact us through the pricing page or speak with our commercial team.

Yes, every new registration receives free queries to test the API in real environment without functionality limitations and without commitment. We don't ask for credit card during trial - just email and password to create account. After consuming free queries, you can purchase paid plans. No long-term contracts: cancel anytime, instant upgrade or downgrade between plans, and credits never expire. Simple, transparent, and developer-friendly pricing.

No, international companies can contract as individuals or businesses. We accept international payment methods: Visa, Mastercard, Amex, PayPal, wire transfer, and cryptocurrency for large volume contracts. Invoices issued in English with international tax compliance documentation. For enterprise customers, we offer annual contracts with fixed pricing in your preferred currency (USD, EUR, GBP) protecting against BRL currency fluctuation. Perfect for payment processors, multinational HR platforms, and international companies operating in Brazil. No Brazilian legal entity required.