MED Defense

Use this endpoint when a MED or PIX infraction requires a customer response before the deadline informed by webhook.

POST /api/external/med/{id}/defense
Content-Type: application/json
Authorization: ApiKey {client_id}:{client_secret}
hmac: {hmac_sha512_signature}

Required permission: payment:write.

The {id} is the MED case/block identifier returned by GET /api/external/med, GET /api/external/med/{id}, or infraction webhooks. This is a POST, so it must follow the same HMAC-SHA512 rule used by other write endpoints.

Body

{
  "defense_text": "Customer confirmed the operation and sent service evidence.",
  "evidence": [
    {
      "type": "whatsapp",
      "url": "https://your-domain.example/evidence/med-123.png",
      "description": "Conversation screenshot confirming the holder's request",
      "source": "whatsapp",
      "filename": "conversation-med-123.png",
      "received_at": "2026-06-02T13:30:00Z"
    }
  ]
}

Each evidence item must include at least url or description. The API accepts up to 10 evidence references per submission. Binary attachments remain available in the Minha Konta portals for analysis and future audit.

Response

{
  "worked": true,
  "status": "defense_submitted",
  "med_id": "3f1e2c41-c269-4fa8-a151-49e739f8d37d",
  "block_id": "3f1e2c41-c269-4fa8-a151-49e739f8d37d",
  "evidence_count": 1,
  "defense_submitted_at": "2026-06-02T16:30:12Z"
}

After registration, Minha Konta sends pix.infraction.defense_submitted. The final result arrives later through pix.infraction.resolved.

See PIX Infractions and MED for the full flow.