Credenciamento Open Finance (PSTI)
Get Started with This SkillOverview
Documentação técnica e validação de conformidade para Provedores de Serviços de Tecnologia da Informação no Open Finance Brasil (BCB, Res. 10/2026). Mapeia arquitetura de segurança e compara a API do cliente com o manual técnico do diretório central.
Tools
- validate_api_spec_compliance — Compares the client’s OpenAPI 3.x spec (JSON) with Open Finance interoperability expectations: OpenAPI version,
info, security schemes (OAuth2/OpenID Connect), HTTPS-only servers, and path structure. Optionally accepts a reference manual path for detailed comparison with the BCB central directory technical manual.
Getting Started
Add your OpenAPI specification (JSON) to the project workspace. If the spec is in YAML, convert it to JSON (e.g. npx @apidevtools/swagger-cli bundle spec.yaml -o spec.json). Activate the Credenciamento Open Finance (PSTI) skill and ask the agent to validate the API documentation for PSTI credentialing; the agent will run the compliance check and help you address any gaps.
Example conversation
Below is an example of a typical session where the user asks to validate their API documentation for PSTI credentialing. The agent runs the compliance tool and then suggests corrections.
You: We’re preparing our PSTI credentialing (Res. BCB 10/2026) and need to check if our API spec is aligned with the Open Finance directory. The spec is at
api/openapi.json.Agent: I’ll run the API spec compliance validator against your OpenAPI file and the expectations from the Open Finance central directory (interoperability standards). One moment.
Agent: I ran
validate_api_spec_complianceonapi/openapi.json. Summary:
- OpenAPI version: 3.0.3 — OK.
- info: title and version present — OK.
- Servers: one server is
http://api.example.com— ERROR. Open Finance requires HTTPS for all servers. Update the spec to usehttps://only.- Security schemes: You have
OAuth2underoauth2Auth— OK. Globalsecurityis applied — OK.- Paths: 14 paths defined — OK.
I’ve saved the full report to
output/api_compliance_report.txt. The only blocking issue is the HTTP server URL; after switching to HTTPS, re-run the validator. I can suggest the exactserversblock if you want.You: Fix the servers block and add a short note in the spec description that this API is intended for Open Finance PSTI credentialing.
Agent: I’ve updated
api/openapi.json: (1) replaced the server URL withhttps://api.example.com; (2) added ininfo.descriptiona paragraph stating that the API is documented for Open Finance Brasil credentialing (Res. BCB nº 10/2026) and alignment with the central directory technical manual. You can run the validator again to confirm a clean result.
Sample validation output
Below is a representative excerpt of the compliance report produced by the validate_api_spec_compliance tool. This is the kind of output the agent receives and then summarizes for you; you can also save it to a file (e.g. output/api_compliance_report.txt) for audit or internal review.
Validation report (excerpt)
============================================================
Validação de conformidade — API x Open Finance (PSTI / BCB)
Arquivo: api/openapi.json
============================================================
--- Versão e identificação ---
openapi: 3.0.3
info.title: Payments API
info.version: 1.2.0
--- Servidores ---
[OK] https://api.pagamentos.example.com/v1
--- Segurança (components.securitySchemes) ---
[OK] oauth2Auth: type=oauth2
[OK] openIdConnect: type=openIdConnect
--- security (global) ---
Aplicado: [{"oauth2Auth":[]}]
--- Paths ---
Total de paths: 14
/consents
/accounts
/payments
/customers
...
============================================================
RESULTADO: Estrutura básica compatível com Open Finance
Avisos:
- info.description ausente (recomendado para credenciamento)
============================================================
This excerpt is illustrative. Actual output depends on the client’s OpenAPI file and optional reference manual.
Sample generated document (technical documentation)
When the agent helps you draft or update technical documentation for PSTI credentialing, it may produce a section like the following — describing how the API aligns with Open Finance security and interoperability requirements.
API documentation for PSTI credentialing — excerpt
1. Scope and regulation
This API is documented for participation in the Open Finance Brasil ecosystem as a Provedor de Serviços de Tecnologia da Informação (PSTI), in accordance with Resolução BCB nº 10/2026. The specification is aligned with the technical manual of the central directory for interoperability (discovery, consent, and data exchange).
2. Security architecture
- Authentication and authorisation: OAuth 2.0 and OpenID Connect as defined in
components.securitySchemes. All production endpoints require a valid access token issued by the directory or an authorised identity provider. - Transport: All servers use HTTPS only. TLS 1.2 or higher is required.
- Data in transit: Encryption and integrity in line with BCB and Open Finance security guidelines.
3. Alignment with central directory
Endpoints and payloads follow the patterns described in the Open Finance Brasil central directory API manual. Consent and account data flows are implemented as per the official specifications. Any deviation is documented in the changelog and will be updated in the next release.
This excerpt is illustrative. Final content must reflect the actual API, security controls, and current BCB/Open Finance requirements.
What the validator checks
| Check | Description |
|---|---|
| OpenAPI version | Ensures openapi is present and 3.x. |
| info | Warns if info.title or info.version is missing (recommended for credentialing). |
| Servers | ERROR if any server URL is not HTTPS (Open Finance requirement). |
| Security schemes | Verifies at least one OAuth2 or OpenID Connect scheme in components.securitySchemes; warns if none. |
| Paths | Reports total path count; optional reference file can be used for endpoint-by-endpoint comparison with the directory manual. |