API IntegrationFELCABrazilUpdated March 14, 2026· 10 min readAPI Online

FELCA API Integration — Age Verification Endpoints for Brazil

The FlagCheck FELCA API gives you two production-ready endpoints to comply with Brazil's FELCA Law (Digital ECA — Law 15.211/2025), in effect since March 17, 2026. Verify whether a Brazilian user is 18+ in under 2 seconds, optionally combining biometric face liveness for high-risk platforms.

< 2s response🇧🇷 CPF-native🔒 LGPD-safe FELCA compliant🤳 Face liveness🌐 REST / JSON

What the FELCA Law Requires (Quick Summary)

Brazil's Digital ECA mandates that any digital platform reachable by minors must implement reliable age verification — self-declaration is banned. Violations carry fines up to BRL 50 million. The FELCA API covers both mandatory scenarios:

  • Standard platforms (games, streaming, social media): CPF age check is sufficient.
  • High-risk platforms (sports betting, adult content, alcohol e-commerce): CPF + face liveness is strongly recommended.

Read our full guides: FELCA Law Explained → Compliance Step-by-Step →

API Endpoints

Base URL
https://api.flagcheck.com.br
Authentication
Pass your API key in the X-API-Key header.
POST/api/felca/age-check

Age verification via CPF. Returns is_adult, age and date of birth.

Use this for: standard platforms (games, streaming, social media, e-commerce).

Request body
{
"cpf": "111.222.333-44"
}
POST/api/felca/liveness

Age verification + facial biometrics. Returns is_adult + face_match confidence score.

Use this for: sports betting, adult content, alcohol/tobacco delivery, fintech.

Request body
{
"cpf": "111.222.333-44",
"selfie": "<base64-encoded-image>"
}

Code Examples

POSTEndpoint 1 — Age Check (CPF only)

cURL
curl -X POST \
https://api.flagcheck.com.br/api/felca/age-check \
-H "X-API-Key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{"cpf": "111.222.333-44"}'
JavaScriptNode.js / server-side only
// Never expose your API key client-side
const res = await fetch(
'https://api.flagcheck.com.br/api/felca/age-check',
{
method: 'POST',
headers: {
'X-API-Key': process.env.FLAGCHECK_API_KEY,
'Content-Type': 'application/json',
},
body: JSON.stringify({ cpf: '111.222.333-44' }),
}
)
const { success, data } = await res.json()
if (!success || !data.is_adult) {
return res.status(403).json({ error: 'Access restricted' })
}
Python
import requests
resp = requests.post(
'https://api.flagcheck.com.br/api/felca/age-check',
headers={
'X-API-Key': 'YOUR_API_KEY',
'Content-Type': 'application/json',
},
json={'cpf': '111.222.333-44'},
)
data = resp.json()
if not data["success"] or not data["data"]["is_adult"]:
raise PermissionError("Access restricted")
# Log for ANPD audit
print(data["meta"]["timestamp"], data["meta"]["request_id"])
PHP
$response = file_get_contents(
'https://api.flagcheck.com.br/api/felca/age-check',
false,
stream_context_create([
'http' => [
'method' => 'POST',
'header' => "X-API-Key: YOUR_API_KEY\r\nContent-Type: application/json\r\n",
'content' => json_encode(['cpf' => '111.222.333-44']),
]
])
);
$data = json_decode($response, true);
if (!$data["success"] || !$data["data"]["is_adult"]) {
http_response_code(403);
die('Access restricted'); // Block the user
}

POSTEndpoint 2 — Liveness (CPF + Selfie)

cURL
curl -X POST \
https://api.flagcheck.com.br/api/felca/liveness \
-H "X-API-Key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{"cpf": "111.222.333-44", "selfie": "<base64>"}'
JavaScript
// Capture selfie via MediaDevices API or liveness SDK
const selfieBase64 = await captureSelfie() // your implementation
const res = await fetch(
'https://api.flagcheck.com.br/api/felca/liveness',
{
method: 'POST',
headers: {
'X-API-Key': process.env.FLAGCHECK_API_KEY,
'Content-Type': 'application/json',
},
body: JSON.stringify({
cpf: '111.222.333-44',
selfie: selfieBase64,
})
}
)
const { success, data } = await res.json()
if (!success || !data.is_adult || data.face_match < 0.75) {
return { blocked: true }
}

API Responses

Adult user (is_adult: true)

{
"success": true,
"data": {
"is_adult": true,
"age": 32,
"date_of_birth": "1993-05-14",
"document": { "type": "CPF", "valid": true }
},
"meta": { "request_id": "felca_a1b2c3d4", "timestamp": "2026-03-14T10:22:00Z" }
}

🔴 Minor user (is_adult: false)

{
"success": true,
"data": {
"is_adult": false,
// age and date_of_birth omitted (LGPD protection for minors)
"document": { "type": "CPF", "valid": true }
},
"meta": { "request_id": "felca_b2c3d4e5", "timestamp": "2026-03-14T10:23:00Z" }
}

🤳 Liveness response

{
"success": true,
"data": {
"is_adult": true,
"age": 28,
"date_of_birth": "1998-02-20",
"face_match": 0.94,
"liveness_score": 0.98,
"document": { "type": "CPF", "valid": true }
},
"meta": { "request_id": "felca_c3d4e5f6", "timestamp": "2026-03-14T10:24:00Z" }
}

Audit Logging (ANPD Compliance)

For ANPD compliance audits, log the following fields from the response — never store raw CPF:

  • 1SHA-256 hash of the CPF (not the raw CPF)
  • 2is_adult result (boolean)
  • 3meta.timestamp (ISO 8601)
  • 4meta.request_id (for dispute resolution)
  • 5Your own user_id or session_id

FELCA Law — in effect March 17, 2026

Ready to Integrate?

Get your API key and start verifying Brazilian users today. FELCA-compliant, LGPD-safe, production-ready.

Get API Access →Full API Docs →Talk to a Specialist →

Frequently Asked Questions

Do I need both endpoints?
No. For most platforms, the age-check endpoint alone is sufficient for FELCA compliance. The liveness endpoint is recommended for high-risk platforms (sports betting, adult content) where you need to confirm the person using the platform is actually the CPF holder.
Does the API store CPF numbers?
No. FlagCheck processes each CPF query in real time and immediately discards it. For your own audit log, store only a SHA-256 hash of the CPF alongside the is_adult result and timestamp — this proves compliance without exposing personal data.
What format should the CPF be in?
The API accepts both formatted (111.222.333-44) and unformatted (11122233344) CPF strings. Digits-only is slightly preferred for robustness.
What does is_adult: false mean for my platform?
The user is under 18. Your platform should block access to age-restricted content and display an appropriate message. The API returns a timestamped response for your audit log. The age and date_of_birth fields are omitted in minor responses to protect data under LGPD.
How do I send the selfie for the liveness endpoint?
Capture the selfie image on the client side (mobile or web) and encode it as Base64. Send the Base64 string in the "selfie" field of the JSON body along with the CPF. For mobile apps, use the device camera; for web, use the MediaDevices API or a liveness SDK.
What is the SLA / uptime?
The FlagCheck API targets 99.9% uptime with response times under 2 seconds for the age-check endpoint. Liveness responses may take 2–4 seconds depending on image size. Monitor api.flagcheck.com.br/docs for status.

FELCA API Brazil — CPF Age Check + Liveness

POST /api/felca/age-check CPF is_adult Brazil. POST /api/felca/liveness face biometrics Brazil. FELCA age verification API integration. Digital ECA compliance API. Brazil age gate CPF REST API. Lei FELCA API integração. Verificação de idade API CPF Brasil. Integración API FELCA Brasil CPF. is_adult CPF Brazil developer. LGPD compliant age verification API Brazil.