Guide

Extend the marketplace

List a service in the Creditcorp marketplace so it runs inside the lending lifecycle. Subscribe to platform events, acknowledge fast, act asynchronously, write your result back to the application — then pass verified-vendor review to go live.

Where integration embeds our lending in your product, a marketplace listing does the reverse: your service plugs into our flow. Lenders and partners switch it on for their pipeline; the platform invokes you at the right moment via events, and you enrich the application with the result. Typical listings include accountancy-data connectors, fraud and KYB checks, valuation and asset-finance tooling, bookkeeping sync and insurance offers.

The extension model

Every marketplace app follows the same four-beat contract. It is deliberately asynchronous — you never block the platform while you do slow work.

BeatYou do
1. SubscribeRegister an endpoint and select the events your service reacts to.
2. AcknowledgeReturn 2xx within 10s, after verifying the signature. Don't process inline.
3. ActDo the work off the request thread — call your models, third parties, queues.
4. Write backPOST the result to the application as a structured result.

1 · Subscribe to platform events

POST/partner/v1/webhook_endpoints

Register your HTTPS endpoint and the events you want. Use wildcards (payment.*) to capture a family. The response returns a whsec_ signing secret — store it; you'll need it to verify every delivery.

bash
curl -s https://api.credicorp.co.uk/partner/v1/webhook_endpoints \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
    "url": "https://vendor.example/hooks/credicorp",
    "events": ["application.submitted", "decision.completed"]
  }'
# → { "id": "whe_4Kd", "secret": "whsec_9f2a…" }

Events a marketplace app commonly subscribes to

EventFires when
application.submittedApplicant completes the journey — the moment to run KYB, fraud or data enrichment.
decision.completedEngine resolves — trigger post-decision offers or valuations.
application.fundedLoan disbursed — kick off onboarding, bookkeeping sync, insurance.
account.in_arrearsA scheduled payment is missed — collections or comms tooling.

2 · Acknowledge, then act asynchronously

The platform expects a 2xx within 10 seconds. Verify the Creditcorp-Signature header in constant time (full recipe in Request signing), enqueue the event, and return immediately. Deliveries can arrive more than once, so make handlers idempotent keyed on event.id.

javascript
app.post('/hooks/credicorp', (req, res) => {
  const ok = cc.webhooks.verify(
    req.rawBody,
    req.headers['credicorp-signature'],
    process.env.WHSEC
  );
  if (!ok) return res.sendStatus(400);

  const evt = JSON.parse(req.rawBody);
  queue.add('enrich', evt, { jobId: evt.id });  // idempotent
  res.sendStatus(202);                          // ack fast, work later
});
php
$raw = file_get_contents('php://input');
$sig = $_SERVER['HTTP_CREDICORP_SIGNATURE'] ?? '';

if (! $cc->webhooks->verify($raw, $sig, getenv('WHSEC'))) {
    http_response_code(400); exit;
}

$evt = json_decode($raw, true);
$queue->push('enrich', $evt, jobId: $evt['id']);  // idempotent
http_response_code(202);                              // ack now, act later

Never run model inference, third-party calls or DB writes before you respond. Blocking the ack past 10s triggers a retry, and retries plus inline work cascade into a storm. Ack first, always.

3 · Write your result back

POST/partner/v1/applications/{id}/results

Once your worker finishes, attach a structured result to the application. The platform stores it against your listing, surfaces it to the lender, and — where your service is wired into decisioning — can feed it into the engine. Namespace your type with your vendor slug to avoid collisions, and always send an Idempotency-Key.

FieldTypeDescription
typestringreqNamespaced result kind, e.g. acme.kyb_check.
statusstringreqpass, fail, review or info.
dataobjectoptYour structured payload — scores, evidence, references.
event_idstringoptThe triggering evt_… id, for traceability.
bash
curl -s https://api.credicorp.co.uk/partner/v1/applications/app_8Kd2c9Qm/results \
  -H "Authorization: Bearer $TOKEN" \
  -H "Idempotency-Key: res-evt_7Hn" \
  -d '{
    "type": "acme.kyb_check",
    "status": "pass",
    "event_id": "evt_7Hn",
    "data": { "score": 0.94, "directors_verified": 2, "pep": false }
  }'

Response 201 Created

json
{
  "id": "res_5Yh",
  "object": "result",
  "application_id": "app_8Kd2c9Qm",
  "type": "acme.kyb_check",
  "status": "pass",
  "created_at": "2026-06-29T10:00:09Z"
}

4 · Pass verified-vendor review

Before your listing is visible to lenders it goes through verified-vendor review. The badge tells partners your service meets the platform's security and reliability bar. Submit when your sandbox integration is complete; review typically takes a few business days.

Requirement
Signature verification on every delivery, constant-time, with key rotation supported.
Endpoint acknowledges within 10s and processes off-thread; handlers idempotent on event.id.
Results namespaced to your vendor slug and written with an Idempotency-Key.
Least-privilege OAuth scopes; secrets stored server-side; data-handling & UK data-residency declared.
A working sandbox demo, listing copy, support contact and SLA, and an incident runbook.

Build and prove the whole loop against the sandbox first — reviewers replay real events at your endpoint and check you ack fast, verify signatures and write a clean result. Reach the bar there and live approval is a formality. Questions? developers@credicorp.co.uk.