2 min read
Why no credential
Authentication exists to prove who is calling so the server can decide what they may see. On the public ring there is no per-caller data to gate: the loyalty ladder, product list and published pages are the same for everyone, and an enquiry or consent snapshot is safe to accept from anyone. A credential would add friction and a secret to leak while protecting nothing — so the ring has none.
What replaces it
Three mechanisms do the job a credential would otherwise do:
- Rate limiting — 60 requests per 60 seconds per IP stops one caller monopolising the ring.
- Validation — every input is bounded (type, length, key count, byte size) and mandatory gates like
fields.consent = "yes"are enforced server-side. - Fixed response shapes — the server sets privileged fields itself, so a caller can never smuggle in a status, a bank detail or an internal id.
The PII boundary
The single most important rule of the public ring: no per-customer PII crosses it. The loyalty endpoint returns vocabulary, not a customer’s tier. The billers endpoint returns public-safe fields, never bank details. Anything that would identify a specific person or expose their account is served only behind authentication on the internal ring.
When you DO need a credential
The moment your integration needs to act as a specific customer or partner — read an account, create an offer, move money — you have left the public ring. That is the partner/authenticated surface, which uses OAuth2 and request signing. See the partner API reference and the authentication docs there.
Frequently asked questions
Is it really safe to have no authentication?
Yes, because there is nothing to protect with a credential: every response is public information, and every accepted submission is strictly validated. Rate limiting and fixed shapes handle abuse; a hard PII boundary handles privacy.
How do I authenticate for account-level data?
You do not do it on the public ring — that data is not there. Account-level and money-moving operations require OAuth2 and request signing on the partner/internal surface. See the partner API reference.
Funding for UK limited companies
Credicorp lends to your company, not to you personally — short-term working capital with no personal guarantee. See what your business could access.