API reference

API reference overview

The Credicorp partner/v1 API is a JSON-over-HTTPS REST surface for embedding UK business lending: take an application, read an AI-led decision, disburse and collect funds over open banking, and reconcile every movement through signed webhooks.

Everything below applies to every resource — the same authentication, the same envelope for errors, the same cursor pagination and the same idempotency semantics. Read this page once and the individual resource pages become a quick lookup. If you are integrating for the first time, start with the Quickstart, then come back here for the catalogue.

Base URLs

There are two fully isolated environments. The sandbox never touches a real bank, never moves money and never runs a credit search — it is safe to hammer in CI. The live environment is the regulated platform. Tokens, webhook secrets and resource IDs are not interchangeable between the two.

Live
https://api.credicorp.co.uk/partner/v1
Sandbox
https://sandbox.api.credicorp.co.uk/partner/v1
Auth (OIDC)
https://sso.credicorp.co.uk/oauth2/token
Status
https://status.credicorp.co.uk

A second, customer-facing ring — public/v1 — backs the hosted apply journey and OIDC sign-in. Partner integrations use partner/v1 exclusively; public/v1 is documented under Identity.

All endpoints are versioned in the path. Breaking changes ship as a new major version (/partner/v2); additive changes — new fields, new enum values, new endpoints — are rolled into v1. Build a tolerant reader and you will rarely need to migrate. Track everything in the changelog.

Authentication

Every request carries a bearer access token in the Authorization header. Tokens are short-lived (3,600 seconds) and minted from your OAuth 2.0 client-credentials grant. Each token is bound to a set of scopes — you only get the resources you were granted at onboarding.

bash
# 1. Mint a token from your client credentials
curl -s https://sso.credicorp.co.uk/oauth2/token \
  -d grant_type=client_credentials \
  -d client_id=$CC_CLIENT_ID \
  -d client_secret=$CC_CLIENT_SECRET \
  -d scope="apply:write decision:read"

# 2. Call any resource with the access_token
curl -s https://api.credicorp.co.uk/partner/v1/applications \
  -H "Authorization: Bearer $TOKEN"
php
use Credicorp\Client;

// SDK exchanges client creds + refreshes the token for you
$cc = new Client([
  'client_id'     => getenv('CC_CLIENT_ID'),
  'client_secret' => getenv('CC_CLIENT_SECRET'),
  'environment'   => 'live', // or 'sandbox'
]);

$apps = $cc->applications->list(['limit' => 20]);
javascript
import { Credicorp } from '@credicorp/sdk';

const cc = new Credicorp({
  clientId: process.env.CC_CLIENT_ID,
  clientSecret: process.env.CC_CLIENT_SECRET,
  environment: 'live', // or 'sandbox'
});

const apps = await cc.applications.list({ limit: 20 });

The full token lifecycle, scope catalogue and key rotation are documented under OAuth 2.0. Server-to-server callers that disburse funds must additionally sign the request body — see Request signing.

Resources

The platform is organised around a handful of nouns. An application is decisioned, becomes an account when it funds, and money moves against that account as payment objects. identity verifies the borrowing entity and its officers; webhooks push state changes to you so you never have to poll.

ResourceBase pathScopeWhat it does
Apply/applicationsapply:writeCreate, retrieve, list and withdraw business-loan applications.
Decisioning/decisionsdecision:readReal-time AI outcome, indicative APR and reason codes.
Payments/paymentspayments:writePayment links, collection schedules and repayments via PISP.
Identity/identityidentity:readKYB on the company, KYC and AML checks on its officers.
Accounts/accountsaccounts:readFunded loan accounts, balances and servicing state.
Webhooks/webhookswebhooks:manageRegister endpoints and subscribe to signed events.

Conventions

Requests & responses

Send and receive application/json; UTF-8 throughout. All monetary amounts are integer pence in GBP2500000 is £25,000.00. There are no floats anywhere in the API. Timestamps are RFC 3339 / ISO 8601 in UTC (2026-06-29T14:05:00Z). Every object carries a stable, prefixed id (app_, dec_, acc_, pay_) and a string object field so you can route polymorphically.

Errors

Conventional HTTP status codes signal the outcome. 2xx is success, 4xx is a problem with your request (a bad parameter, a failed validation, a missing scope) and 5xx is a problem on our side. Every error returns the same machine-readable envelope, with a type you can branch on and a request_id to quote to support.

json
{
  "error": {
    "type": "validation_error",
    "code": "amount_below_minimum",
    "message": "amount_pence must be at least 100000.",
    "param": "amount_pence",
    "request_id": "req_7f3aK9d2"
  }
}
StatusTypeMeaning
200 201Success. 201 on resource creation.
400validation_errorMalformed body or a parameter failed validation.
401authentication_errorMissing, expired or invalid access token.
403permission_errorToken lacks the required scope.
404not_foundNo such resource, or not visible to this client.
409conflictIdempotency-Key reused with a different body, or illegal state transition.
429rate_limitedToo many requests — back off and retry.
500 503api_errorSomething failed our side. Safe to retry idempotent calls.

The full code list lives on the Errors page.

Idempotency

Every POST accepts an Idempotency-Key header — any unique string (a UUID is ideal). We persist the first response against that key for 24 hours, so a retried request returns the original result instead of creating a duplicate application or taking a payment twice. Always set it on writes that move money or create records. Reusing a key with a different payload returns 409 conflict. See the idempotency guide.

Pagination

List endpoints are cursor-paginated. Pass limit (1–100, default 25) and walk forward with starting_after={id}. The envelope reports whether more pages exist; never infer the end from a short page.

json
{
  "object": "list",
  "data": [ { "id": "app_8Kd2c9Qm",  } ],
  "has_more": true,
  "next_cursor": "app_8Kd2c9Qm"
}

Details and ordering guarantees are on the Pagination page.

Rate limits

Limits are applied per client, per environment, on a sliding window. Each response carries your budget so you can throttle pre-emptively rather than waiting for a 429.

HeaderMeaning
RateLimit-LimitRequests permitted in the current window.
RateLimit-RemainingRequests left in this window.
RateLimit-ResetSeconds until the window resets.
Retry-AfterOn a 429, seconds to wait before retrying.

Default ceilings and how to request an uplift are on the Rate limits page.

An OpenAPI 3.1 document for the whole partner/v1 surface is published at https://api.credicorp.co.uk/partner/v1/openapi.json. Point your generator at it to scaffold a typed client, or import it into Postman / Insomnia. Our official SDKs are generated from the same spec.

Where to go next

  • Lending the loan yourself? Read ApplyDecisioningPayments.
  • Just want to refer deals? The white-label handoff in Apply needs only one call.
  • Reconciling a back office? Subscribe to Webhooks and read the Accounts resource.