API reference

Apply API

Applications are the entry point to lending. Create one for a UK incorporated company, then either hand the applicant to Credicorp's hosted journey or drive a fully white-label flow from your own UI. Every application is decisioned and, once accepted and funded, becomes a servicing account.

The resource lives at /partner/v1/applications and requires the apply:write scope. An application moves through a strict lifecycle; the most reliable way to follow it is to subscribe to webhooks rather than poll. Below: create, retrieve, list and withdraw, then the two integration patterns.

Endpoints

MethodPathPurpose
POST/applicationsCreate an application.
GET/applications/{id}Retrieve a single application.
GET/applicationsList & filter applications.
POST/applications/{id}/withdrawWithdraw before it funds.

Create an application

POST/partner/v1/applications

Creates an application in the created state and returns a handoff_url. Always send an Idempotency-Key so a retried request does not open a second application for the same borrower.

Body parameters

FieldTypeDescription
business.company_numberstringreqCompanies House number of the borrowing entity (8 chars, e.g. 16093826 or SC123456).
amount_penceintegerreqRequested principal in pence. Minimum £1,000 (100000), maximum £250,000 (25000000).
term_monthsintegerreqRequested term, 3–60 months.
purposeenumoptworking_capital, asset_finance, expansion, refinance, stock.
applicant.emailstringoptContact for the hosted journey. Required if no redirect_uri is set.
applicant.first_namestringoptPre-fills the hosted journey.
redirect_uristringoptWhere to return the applicant after the hosted flow completes.
referencestringoptYour own reference; echoed back on every object and webhook for reconciliation.
introduction_idstringoptAttributes the deal to a distribution partner. See Introductions.
metadataobjectoptUp to 20 key/value string pairs, stored and returned verbatim.

Request

bash
curl -s https://api.credicorp.co.uk/partner/v1/applications \
  -H "Authorization: Bearer $TOKEN" \
  -H "Idempotency-Key: 7c1f-9b22-001" \
  -H "Content-Type: application/json" \
  -d '{
    "business": { "company_number": "16093826" },
    "amount_pence": 2500000,
    "term_months": 12,
    "purpose": "working_capital",
    "redirect_uri": "https://yourapp.com/return",
    "reference": "INV-4821"
  }'
php
$application = $cc->applications->create([
  'business'     => ['company_number' => '16093826'],
  'amount_pence' => 2500000,
  'term_months'  => 12,
  'purpose'      => 'working_capital',
  'redirect_uri' => 'https://yourapp.com/return',
  'reference'    => 'INV-4821',
], ['idempotency_key' => '7c1f-9b22-001']);

header('Location: ' . $application->handoff_url);
javascript
const application = await cc.applications.create({
  business: { companyNumber: '16093826' },
  amountPence: 2500000,
  termMonths: 12,
  purpose: 'working_capital',
  redirectUri: 'https://yourapp.com/return',
  reference: 'INV-4821',
}, { idempotencyKey: '7c1f-9b22-001' });

res.redirect(application.handoffUrl);

Response 201 Created

json
{
  "id": "app_8Kd2c9Qm",
  "object": "application",
  "status": "created",
  "business": { "company_number": "16093826", "name": "Credicorp Limited" },
  "amount_pence": 2500000,
  "term_months": 12,
  "purpose": "working_capital",
  "reference": "INV-4821",
  "handoff_url": "https://apply.credicorp.co.uk/s/3fa7c1…",
  "expires_at": "2026-07-06T10:00:00Z",
  "created_at": "2026-06-29T10:00:00Z"
}

Retrieve an application

GET/partner/v1/applications/{id}

Returns the current state of one application, including the linked decision once decisioning has run and the account_id once it funds.

bash
curl https://api.credicorp.co.uk/partner/v1/applications/app_8Kd2c9Qm \
  -H "Authorization: Bearer $TOKEN"

List applications

GET/partner/v1/applications

Returns a cursor-paginated list, newest first. Combine the filters below; all are optional.

Query paramTypeDescription
statusenumOne of the status values, e.g. funded.
referencestringExact match on your supplied reference.
created_afterstringRFC 3339 lower bound on created_at.
limitinteger1–100, default 25.
starting_afterstringCursor — an application id from the previous page.
bash
curl "https://api.credicorp.co.uk/partner/v1/applications?status=funded&limit=20" \
  -H "Authorization: Bearer $TOKEN"

Withdraw an application

POST/partner/v1/applications/{id}/withdraw

Cancels an application that has not yet funded and moves it to withdrawn. The call is idempotent — withdrawing an already-withdrawn application returns 200 with no change. Attempting to withdraw a funded application returns 409 conflict; servicing a funded loan is handled through Accounts.

bash
curl -s -X POST https://api.credicorp.co.uk/partner/v1/applications/app_8Kd2c9Qm/withdraw \
  -H "Authorization: Bearer $TOKEN" \
  -d '{ "reason": "duplicate" }'

Status values

An application advances through these states. Transitions are one-directional except for the terminal cancel states.

StatusMeaning
createdOpen; awaiting applicant completion via the handoff_url.
submittedApplicant finished and consented; queued for decisioning.
in_reviewThe decision engine (and any referral) is running.
approvedAn offer is available — read it from Decisioning.
declinedNo offer; structured reasons attached to the decision.
fundedDisbursed; a servicing account now exists.
withdrawnCancelled by you before funding.
expiredApplicant did not complete before expires_at.

Hosted vs white-label handoff

There are two ways to take the applicant from "created" to "submitted". Pick per integration; you can mix them across products.

Hosted journey (recommended)

Redirect the applicant to the handoff_url returned at creation. Credicorp runs the entire regulated flow — identity, open-banking affordability, consents and the offer screen — on apply.credicorp.co.uk, themed to your brand. When it finishes we redirect back to your redirect_uri with the application_id appended, and fire application.submitted. This is the fastest route to live and keeps the compliance surface with us.

White-label flow

Drive the screens in your own UI and submit collected data through the API. You own the front end; Credicorp still owns decisioning, identity verification and the credit agreement. This unlocks identity and consent endpoints on partner/v1 — see Identity — and requires a completed data-protection review because you are now handling applicant PII directly.

HostedWhite-label
Front end owned byCredicorpYou
PII handled by youNoYes
Time to integrateHoursDays
Extra approvalNoneDP review

React to events, don't poll. Subscribe to application.submitted, decision.completed and application.funded via webhooks. Each event carries your reference so you can match it straight to your ledger.

Credicorp lends only to UK incorporated bodies corporate (limited companies and LLPs). A company_number that resolves to a sole trader, partnership or dissolved entity is rejected at create with ineligible_entity. This lending sits outside FCA consumer-credit regulation.