Skip to content
API Reference/Webhooks

Dinie API (2026-03-01)

Embedded credit API for Dinie partners. Enables customer registration, credit offer management, loan origination, and event delivery via webhooks.

Download OpenAPI description
openapi.json
openapi.yaml
Overview
URL
https://dinie.nexaedge.dev
Dinie API Support
api@dinie.com.br
License
Proprietary
Languages
Servers
Mock server
https://dinie.nexaedge.dev/_mock/apis/openapi
Production
https://api.dinie.com.br/v3
Sandbox
https://sandbox.api.dinie.com.br/v3

Authentication

OAuth2 Client Credentials authentication and API key management.

Each client_id / client_secret pair represents an access credential. Exchange the credentials for a JWT token via POST /auth/token and send the token as Bearer in all requests. The token expires in 1 hour.

You can create multiple credentials for different environments and revoke them individually.

Operations

Customers

The Customer resource (cust_) represents a credit borrower on the platform. The lifecycle follows: registration → KYC document submission → review → activation.

Two processes happen in parallel:

  • Credit analysis — starts automatically upon registration
  • KYC verification — the customer completes at their own pace
Operations
Webhooks

Credit Offers

The CreditOffer resource (co_) represents a pre-approved credit offer for a customer. Offers are automatically generated by Dinie when a Customer reaches the active status. You are notified via the credit_offer.available webhook.

Operations
Webhooks

Loans

The Loan resource (ln_) represents a loan originated from a CreditOffer and its Simulation. After creation, the loan goes through several automated steps until disbursement.

Operations
Webhooks

Webhooks

Manage the endpoints that receive event notifications (we_). Dinie follows the Standard Webhooks specification.

Events for each resource are documented in the Customers, Credit Offers, and Loans sections. This section covers only endpoint management.

Operations

Configuration

endpoint = client.webhooks.create_endpoint(
  url: "https://partner.example.com/webhooks/dinie",
  events: ["customer.active", "credit_offer.available", "loan.*"],
  description: "Production webhook"
)
# endpoint.secret => "whsec_xxxx..."
# ⚠️ Store the secret — shown only at creation!

Event Patterns

Use * for all events, or resource.* for all events of a resource.

PatternIncluded Events
customer.*created, under_review, kyc_updated, active
credit_offer.*available, expired
loan.*created, contract_generated, awaiting_signatures, signed, disbursing, active, payment_received, finished, cancelled, error
*All events

Secret Rotation

Rotate the secret periodically. The previous secret remains valid for the specified time, allowing a seamless transition.

result = client.webhooks.rotate_secret("we_abc123",
  expire_current_in: 3600  # previous valid for 1 more hour
)
# result.secret => "whsec_yyyy..." (new secret)

Create a webhook endpoint

Request

Creates a new webhook endpoint to receive Dinie events. The HMAC signing secret (secret) is returned only in this response — store it securely to validate the signatures of received events. Use event patterns like loan.*, customer.*, or * to subscribe to entire categories. Each endpoint can subscribe to multiple event patterns.

Security
bearerAuth
Headers
Idempotency-Keystring

Unique string for idempotent POST requests. Cached for 24 hours.

Bodyapplication/jsonrequired
urlstring(uri)required

HTTPS URL to receive webhook deliveries

Example: "https://partner.example.com/webhooks/dinie"
eventsArray of strings

Event types to subscribe to. Supports wildcards * (e.g., loan.*). Empty or omitted = all events.

Example: ["customer.active","credit_offer.available","loan.*"]
descriptionstring

Optional human-readable label

Example: "Production webhook"
curl -X POST https://api.dinie.com.br/v3/webhooks/endpoints \
  -H "Authorization: Bearer $DINIE_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "url": "https://parceiro.example.com/webhooks/dinie",
    "events": ["customer.active", "credit_offer.available", "loan.*"],
    "description": "Webhook de produção"
  }'

Responses

Webhook endpoint created

Headers
Locationstring
Example: "/v3/webhooks/endpoints/we_550e8400e29b41d4a716446655440000"
Bodyapplication/json
idstring(WebhookEndpointId)^we_[0-9a-f]{32}$required
urlstring(uri)required
eventsArray of stringsrequired
descriptionstring or nullrequired
statusstringrequired
Enum ValueDescription
active

Endpoint is receiving webhook deliveries

disabled

Endpoint is paused; no webhooks will be sent

created_atstring(date-time)required
updated_atstring(date-time)required
secretstringrequired

HMAC signing secret (prefix whsec_). Store securely -- shown only once.

Example: "whsec_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
Response
application/json
{
  "id": "we_550e8400e29b41d4a716446655440000",
  "url": "https://parceiro.example.com/webhooks/dinie",
  "events": [
    "customer.active",
    "credit_offer.available",
    "loan.*"
  ],
  "description": "Webhook de produção",
  "status": "active",
  "secret": "whsec_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0",
  "created_at": "2026-03-04T10:00:00Z",
  "updated_at": "2026-03-04T10:00:00Z"
}

List webhook endpoints

Request

Lists all webhook endpoints configured by the partner, including URL, subscribed events, and status (active/disabled). The signing secret is not returned in this listing. Use to audit and manage your webhook integrations.

Security
bearerAuth
curl https://api.dinie.com.br/v3/webhooks/endpoints \
  -H "Authorization: Bearer $DINIE_API_TOKEN"

Responses

List of webhook endpoints

Bodyapplication/json
dataArray of objects(WebhookEndpoint)required
data[].​idstring(WebhookEndpointId)^we_[0-9a-f]{32}$required
data[].​urlstring(uri)required
data[].​eventsArray of stringsrequired
data[].​descriptionstring or nullrequired
data[].​statusstringrequired
Enum ValueDescription
active

Endpoint is receiving webhook deliveries

disabled

Endpoint is paused; no webhooks will be sent

data[].​created_atstring(date-time)required
data[].​updated_atstring(date-time)required
has_morebooleanrequired
Response
application/json
{
  "data": [
    {
      "id": "we_550e8400e29b41d4a716446655440000",
      "url": "https://parceiro.example.com/webhooks/dinie",
      "events": [],
      "description": "Webhook de produção",
      "status": "active",
      "created_at": "2026-03-04T10:00:00Z",
      "updated_at": "2026-03-04T10:00:00Z"
    }
  ],
  "has_more": false
}

Retrieve a webhook endpoint

Request

Returns the details of a specific webhook endpoint, including URL, list of subscribed events, and current status (active/disabled). The signing secret (secret) is not returned — use POST .../secret/rotate if you need to generate a new one.

Security
bearerAuth
Path
webhook_endpoint_idstring(WebhookEndpointId)^we_[0-9a-f]{32}$required
Example: we_550e8400e29b41d4a716446655440000
curl https://api.dinie.com.br/v3/webhooks/endpoints/we_550e8400e29b41d4a716446655440000 \
  -H "Authorization: Bearer $DINIE_API_TOKEN"

Responses

Webhook endpoint details

Bodyapplication/json
idstring(WebhookEndpointId)^we_[0-9a-f]{32}$required
urlstring(uri)required
eventsArray of stringsrequired
descriptionstring or nullrequired
statusstringrequired
Enum ValueDescription
active

Endpoint is receiving webhook deliveries

disabled

Endpoint is paused; no webhooks will be sent

created_atstring(date-time)required
updated_atstring(date-time)required
Response
application/json
{
  "id": "we_550e8400e29b41d4a716446655440000",
  "url": "https://parceiro.example.com/webhooks/dinie",
  "events": [
    "customer.active",
    "credit_offer.available",
    "loan.*"
  ],
  "description": "Webhook de produção",
  "status": "active",
  "created_at": "2026-03-04T10:00:00Z",
  "updated_at": "2026-03-04T10:00:00Z"
}

Update a webhook endpoint

Request

Updates the configuration of a webhook endpoint. Allows changing the destination URL, the list of subscribed events, the description, and the status (active/disabled). Use disabled to temporarily pause deliveries without deleting the endpoint. Only the submitted fields are updated.

Security
bearerAuth
Path
webhook_endpoint_idstring(WebhookEndpointId)^we_[0-9a-f]{32}$required
Example: we_550e8400e29b41d4a716446655440000
Bodyapplication/jsonrequired
urlstring(uri)
eventsArray of strings
descriptionstring
statusstring
Enum"active""disabled"
curl -X PATCH https://api.dinie.com.br/v3/webhooks/endpoints/we_550e8400e29b41d4a716446655440000 \
  -H "Authorization: Bearer $DINIE_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "events": ["customer.*", "loan.*"],
    "status": "active"
  }'

Responses

Webhook endpoint updated

Bodyapplication/json
idstring(WebhookEndpointId)^we_[0-9a-f]{32}$required
urlstring(uri)required
eventsArray of stringsrequired
descriptionstring or nullrequired
statusstringrequired
Enum ValueDescription
active

Endpoint is receiving webhook deliveries

disabled

Endpoint is paused; no webhooks will be sent

created_atstring(date-time)required
updated_atstring(date-time)required
Response
application/json
{
  "id": "we_550e8400e29b41d4a716446655440000",
  "url": "https://parceiro.example.com/webhooks/dinie",
  "events": [
    "customer.*",
    "loan.*"
  ],
  "description": "Webhook de produção",
  "status": "active",
  "created_at": "2026-03-04T10:00:00Z",
  "updated_at": "2026-03-05T09:00:00Z"
}

Delete a webhook endpoint

Request

Deletes a webhook endpoint. Stops all deliveries.

Security
bearerAuth
Path
webhook_endpoint_idstring(WebhookEndpointId)^we_[0-9a-f]{32}$required
Example: we_550e8400e29b41d4a716446655440000
curl -X DELETE https://api.dinie.com.br/v3/webhooks/endpoints/we_550e8400e29b41d4a716446655440000 \
  -H "Authorization: Bearer $DINIE_API_TOKEN"

Responses

Webhook endpoint deleted (empty body)

Response
No content

Rotate the signing secret

Request

Rotates the HMAC signing secret of the endpoint. A new secret is generated and returned in the response. The previous secret remains valid during the grace period defined by expire_current_in (default: 3600 seconds). During this period, deliveries include signatures with both secrets, allowing a gradual migration in your system without losing events.

Security
bearerAuth
Path
webhook_endpoint_idstring(WebhookEndpointId)^we_[0-9a-f]{32}$required
Example: we_550e8400e29b41d4a716446655440000
Headers
Idempotency-Keystring

Unique string for idempotent POST requests. Cached for 24 hours.

Bodyapplication/json
expire_current_ininteger[ 0 .. 86400 ]

Seconds until the current secret expires. Default 3600. Max 86400.

Default 3600
curl -X POST https://api.dinie.com.br/v3/webhooks/endpoints/we_550e8400e29b41d4a716446655440000/secret/rotate \
  -H "Authorization: Bearer $DINIE_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"expire_current_in": 3600}'

Responses

Secret rotated

Bodyapplication/json
idstring(WebhookEndpointId)^we_[0-9a-f]{32}$required
secretstringrequired

New HMAC signing secret

Example: "whsec_yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy"
previous_secret_expires_atstring(date-time)required

When the old secret stops being included in signatures

Response
application/json
{
  "id": "we_550e8400e29b41d4a716446655440000",
  "secret": "whsec_novo1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8",
  "previous_secret_expires_at": "2026-03-04T11:00:00Z"
}