Swepay builds identity, certificates, and authentication infrastructure for fintechs entering the Brazilian market — FAPI-ready, LGPD-compliant, ICP-Brasil aware.
Swepay sells the unglamorous parts of finance — identity, certificates, authentication. The brand reflects that: precise, restrained, dependable. We borrow our discipline from Scandinavian engineering, our clarity from developer tooling, and our temperament from infrastructure that just works.
Promise
Your customers' brands are loud. Ours is the steady hum behind them. We earn trust by disappearing into the work.
Audience
CTOs, security leads, and platform engineers at fintechs and banks. People who choose tools by reading the docs first.
Posture
We treat Bacen, ICP-Brasil and LGPD as first-class concerns, not afterthoughts. The compliance perimeter is the product.
Brazil's financial stack has a regulatory perimeter that doesn't exist anywhere else. Foreign fintechs typically lose 12–18 months learning it the hard way. Swepay sells those months back to you, as infrastructure.
What we handle
From sovereign certificate trust chains to FAPI-grade authorization flows and consent ledgers, we operate the layer that sits between your product and Brazil's financial regulators. You ship features. We carry the audit trail.
Built in sa-east-1 with multi-region failover. Designed for institutions that can't afford a Sunday outage.
Regulatory perimeter
Buy them together and they share the same identities, certificates, and audit trail. Buy them separately and each one drops cleanly into an existing stack.
A FAPI-aligned OIDC / OAuth 2.1 authorization server. Managed alternative to self-hosted Keycloak with the regulatory perimeter built in. Multi-tenant, multi-realm, native AOT runtime.
API-first private CA for issuing, revoking and bundling mTLS client certificates. CRL and OCSP endpoints out of the box. Built for Open Finance Brasil and bilateral banking integrations.
FIDO2 / WebAuthn passwordless authentication. Plugs into Native Guard, or stands alone behind any existing IdP. Phishing-resistant by construction. Friendly to your end users, hostile to attackers.
We optimise for cold start, p99 latency, and audit completeness. The boring numbers. The ones that show up at 3am when your incident channel lights up.
<50ms
Cold start
.NET 10 Native AOT, single-binary lambdas. No JIT warm-up tax.
99.95%
SLA target
Multi-AZ in sa-east-1 with cross-region failover for critical paths.
7y
Audit retention
Tamper-evident logs aligned to Bacen / Open Finance retention rules.
100%
Tenant isolation
Cryptographic key separation per tenant. No shared blast radius.
Swepay is sold to engineering and security leadership. Not because finance teams aren't smart — but because what we sell is, fundamentally, an architectural decision.
Stop staffing a 4-person team to build an OAuth server you don't want. We've done it; it's aligned with FAPI 1.0 Advanced; it runs.
Cryptographically signed logs, sender-constrained tokens, mTLS by default. Designed to support a Bacen audit.
FAPI 1.0 Advanced, RFC 9449, RFC 9126, RFC 8705. We follow the spec; we don't invent dialects.
Lawful-basis tagging per data class, consent ledger, retention schedule, DSR endpoints. Privacy as a contract.
06 — Contact
Bring a real problem and we'll bring a real architect. We respond from a working address, not a CRM. Expect a reply within one business day.