Give Your Pagar.me Integration a Static IP for Firewall Allowlisting

Pagar.me is Brazil's most widely used payments API. When you go to production, their security team asks for the IP addresses your servers will connect from. If your app runs on a cloud platform with dynamic IPs, that list is meaningless by tomorrow.

The fix is a static outbound proxy. Your app routes payment API calls through it. QuotaGuard gives you two fixed IPs. You hand those IPs to Pagar.me once and never touch the allowlist again.

Allowlisted Static IPs Pass Pagar.me's Production Firewall

Pagar.me's production environment is firewalled. Requests from unknown IPs get blocked. That's standard practice for a PCI-compliant payments processor operating under Brazil's LGPD and the Banco Central do Brasil regulations.

The problem: cloud platforms like AWS, Render, Railway, Fly.io, and Heroku assign IP addresses dynamically. Every deployment, every restart, every scale event can change your outgoing IP. You can't hand that to Pagar.me's security team. They'd need to update the allowlist continuously.

A static IP proxy solves this in one step. Your app connects to the proxy. The proxy forwards the request to Pagar.me from one of two fixed IPs behind a load balancer. Pagar.me sees one of those two IPs, both of which never change. You register both IPs once.

QuotaGuard Static Setup Takes 2 Minutes

Sign up at quotaguard.com/products/quotaguard-static. You'll get a connection URL in this format:

QUOTAGUARDSTATIC_URL=http://username:password@proxy.quotaguard.com:9293

Set that as an environment variable in your app. Then route your Pagar.me HTTP calls through it.

Node.js with https-proxy-agent

import { HttpsProxyAgent } from 'https-proxy-agent';
import axios from 'axios';

const proxyAgent = new HttpsProxyAgent(process.env.QUOTAGUARDSTATIC_URL);

const response = await axios.post(
  'https://api.pagar.me/core/v5/charges',
  payload,
  {
    httpsAgent: proxyAgent,
    headers: {
      Authorization: 'Basic ' + Buffer.from(process.env.PAGARME_API_KEY + ':').toString('base64'),
      'Content-Type': 'application/json'
    }
  }
);

Python with requests

import requests
import os

proxies = {
    'http': os.environ['QUOTAGUARDSTATIC_URL'],
    'https': os.environ['QUOTAGUARDSTATIC_URL'],
}

response = requests.post(
    'https://api.pagar.me/core/v5/charges',
    json=payload,
    proxies=proxies,
    auth=(os.environ['PAGARME_API_KEY'], '')
)

Ruby with Net::HTTP

require 'net/http'
require 'uri'

proxy_uri = URI.parse(ENV['QUOTAGUARDSTATIC_URL'])
pagarme_uri = URI.parse('https://api.pagar.me/core/v5/charges')

Net::HTTP.start(
  pagarme_uri.host,
  pagarme_uri.port,
  proxy_uri.host,
  proxy_uri.port,
  proxy_uri.user,
  proxy_uri.password,
  use_ssl: true
) do |http|
  request = Net::HTTP::Post.new(pagarme_uri.path)
  request['Authorization'] = 'Basic ' + Base64.strict_encode64("#{ENV['PAGARME_API_KEY']}:")
  request['Content-Type'] = 'application/json'
  request.body = payload.to_json
  response = http.request(request)
end

Once deployed, confirm your two assigned IPs from the QuotaGuard dashboard. You can also verify routing through the proxy by hitting an IP-reflection service like ip.quotaguard.com from your app with the proxy configured. Submit both addresses to Pagar.me.

QuotaGuard tip: route only your Pagar.me API calls through the proxy, not all outbound traffic. It's faster, cheaper on bandwidth, and far easier to debug when something goes wrong.

PCI-DSS Compliance Calls for QuotaGuard Shield Instead

If you're processing credit card data and need to satisfy PCI-DSS, the standard proxy model isn't enough. PCI-DSS requires that cardholder data not be decrypted by any third party in transit. QuotaGuard Static uses a standard proxy model where QuotaGuard's infrastructure terminates and re-establishes TLS. That's fine for most use cases. It's not fine for PCI scope.

QuotaGuard Shield uses SSL passthrough. The TLS connection runs end-to-end between your app and Pagar.me. QuotaGuard routes the packets but never decrypts them. Your cardholder data is never exposed to a third party.

The setup is nearly identical. The environment variable is QUOTAGUARDSHIELD_URL instead of QUOTAGUARDSTATIC_URL. The connection URL uses port 9294 and the https:// scheme:

QUOTAGUARDSHIELD_URL=https://username:password@us-east-shield-01.quotaguard.com:9294

The region in the hostname is set when you sign up. Pick the region closest to your production infrastructure or to Pagar.me's API endpoints (São Paulo is served well from sa-east). If you need to change regions after sign-up, contact quotaguard.com/contact.

Use Shield if you're handling payment card data, CPF-linked financial records, or anything that falls under PCI-DSS scope. Use Static for everything else.

QuotaGuard Static Pricing Starts at $19/month

All plans include bundled bandwidth with no per-GB overage fees.

Most Pagar.me integrations run comfortably on the Starter plan. Payment API calls are small payloads. 10 GB covers a high volume of transactions.

QuotaGuard Shield Pricing Starts at $29/month

Shield's SSL passthrough adds minimal overhead for typical Pagar.me API payloads. A 3-day trial is available on all tiers. Enterprise trials run 7 days. Credit card required.

See the full plan comparison at quotaguard.com/products/pricing.

Your Pagar.me Integration Has Two Fixed IPs in 2 Minutes

Set QUOTAGUARDSTATIC_URL, point your HTTP client at it, confirm both assigned IPs, and register them with Pagar.me. That's the whole process. No infrastructure changes. No VPNs. No dedicated servers.

If PCI-DSS is in scope, use Shield instead. Same two-minute setup, end-to-end encryption, no third-party decryption of cardholder data.

Start your trial at quotaguard.com/products/pricing.