Extend the marketplace
List a service in the Creditcorp marketplace so it runs inside the lending lifecycle. Subscribe to platform events, acknowledge fast, act asynchronously, write your result back to the application — then pass verified-vendor review to go live.
Where integration embeds our lending in your product, a marketplace listing does the reverse: your service plugs into our flow. Lenders and partners switch it on for their pipeline; the platform invokes you at the right moment via events, and you enrich the application with the result. Typical listings include accountancy-data connectors, fraud and KYB checks, valuation and asset-finance tooling, bookkeeping sync and insurance offers.
The extension model
Every marketplace app follows the same four-beat contract. It is deliberately asynchronous — you never block the platform while you do slow work.
| Beat | You do |
|---|---|
| 1. Subscribe | Register an endpoint and select the events your service reacts to. |
| 2. Acknowledge | Return 2xx within 10s, after verifying the signature. Don't process inline. |
| 3. Act | Do the work off the request thread — call your models, third parties, queues. |
| 4. Write back | POST the result to the application as a structured result. |
1 · Subscribe to platform events
Register your HTTPS endpoint and the events you want. Use wildcards (payment.*) to capture a family. The response returns a whsec_ signing secret — store it; you'll need it to verify every delivery.
curl -s https://api.credicorp.co.uk/partner/v1/webhook_endpoints \ -H "Authorization: Bearer $TOKEN" \ -d '{ "url": "https://vendor.example/hooks/credicorp", "events": ["application.submitted", "decision.completed"] }' # → { "id": "whe_4Kd", "secret": "whsec_9f2a…" }
Events a marketplace app commonly subscribes to
| Event | Fires when |
|---|---|
application.submitted | Applicant completes the journey — the moment to run KYB, fraud or data enrichment. |
decision.completed | Engine resolves — trigger post-decision offers or valuations. |
application.funded | Loan disbursed — kick off onboarding, bookkeeping sync, insurance. |
account.in_arrears | A scheduled payment is missed — collections or comms tooling. |
2 · Acknowledge, then act asynchronously
The platform expects a 2xx within 10 seconds. Verify the Creditcorp-Signature header in constant time (full recipe in Request signing), enqueue the event, and return immediately. Deliveries can arrive more than once, so make handlers idempotent keyed on event.id.
app.post('/hooks/credicorp', (req, res) => { const ok = cc.webhooks.verify( req.rawBody, req.headers['credicorp-signature'], process.env.WHSEC ); if (!ok) return res.sendStatus(400); const evt = JSON.parse(req.rawBody); queue.add('enrich', evt, { jobId: evt.id }); // idempotent res.sendStatus(202); // ack fast, work later });
$raw = file_get_contents('php://input'); $sig = $_SERVER['HTTP_CREDICORP_SIGNATURE'] ?? ''; if (! $cc->webhooks->verify($raw, $sig, getenv('WHSEC'))) { http_response_code(400); exit; } $evt = json_decode($raw, true); $queue->push('enrich', $evt, jobId: $evt['id']); // idempotent http_response_code(202); // ack now, act later
Never run model inference, third-party calls or DB writes before you respond. Blocking the ack past 10s triggers a retry, and retries plus inline work cascade into a storm. Ack first, always.
3 · Write your result back
Once your worker finishes, attach a structured result to the application. The platform stores it against your listing, surfaces it to the lender, and — where your service is wired into decisioning — can feed it into the engine. Namespace your type with your vendor slug to avoid collisions, and always send an Idempotency-Key.
| Field | Type | Description | |
|---|---|---|---|
type | string | req | Namespaced result kind, e.g. acme.kyb_check. |
status | string | req | pass, fail, review or info. |
data | object | opt | Your structured payload — scores, evidence, references. |
event_id | string | opt | The triggering evt_… id, for traceability. |
curl -s https://api.credicorp.co.uk/partner/v1/applications/app_8Kd2c9Qm/results \ -H "Authorization: Bearer $TOKEN" \ -H "Idempotency-Key: res-evt_7Hn" \ -d '{ "type": "acme.kyb_check", "status": "pass", "event_id": "evt_7Hn", "data": { "score": 0.94, "directors_verified": 2, "pep": false } }'
Response 201 Created
{
"id": "res_5Yh",
"object": "result",
"application_id": "app_8Kd2c9Qm",
"type": "acme.kyb_check",
"status": "pass",
"created_at": "2026-06-29T10:00:09Z"
}4 · Pass verified-vendor review
Before your listing is visible to lenders it goes through verified-vendor review. The badge tells partners your service meets the platform's security and reliability bar. Submit when your sandbox integration is complete; review typically takes a few business days.
| Requirement | |
|---|---|
| ✓ | Signature verification on every delivery, constant-time, with key rotation supported. |
| ✓ | Endpoint acknowledges within 10s and processes off-thread; handlers idempotent on event.id. |
| ✓ | Results namespaced to your vendor slug and written with an Idempotency-Key. |
| ✓ | Least-privilege OAuth scopes; secrets stored server-side; data-handling & UK data-residency declared. |
| ✓ | A working sandbox demo, listing copy, support contact and SLA, and an incident runbook. |
Build and prove the whole loop against the sandbox first — reviewers replay real events at your endpoint and check you ack fast, verify signatures and write a clean result. Reach the bar there and live approval is a formality. Questions? developers@credicorp.co.uk.
