2 min read
What lives on partner/v1
The partner ring is where the real integration work happens: submitting an application (POST /applications), reading the decision (GET /decisions/{id}), provisioning a payment link over PISP (POST /payments/links) and running a KYC/AML identity check (POST /identity/checks). Each of these touches a customer, a decision or the rails, which is exactly why the ring is authenticated. Money-out remains Credicorp's single manual gate regardless of tier — the API can request a disbursement, but the release stays governed.
Authentication
Every partner call carries a bearer access token minted at POST /partner/v1/oauth/token with the OAuth 2.0 client-credentials grant. Tokens are short-lived JWTs you can verify against the JWKS, and the ring advertises its metadata at the standard discovery document. Scope your credential to only the capabilities you use.
Rate limits by tier
Partner traffic is metered with a token bucket scoped to your project, not to an individual key. Sandbox and live projects have independent buckets. The default ceilings on the live ring:
| Tier | Sustained | Burst | Concurrent |
|---|---|---|---|
| build (sandbox) | 10 req/s | 50 | 10 |
| launch | 25 req/s | 100 | 20 |
| scale | 100 req/s | 400 | 50 |
Some endpoints carry their own tighter sub-limit — see rate limiting explained.
Frequently asked questions
How do I get partner access?
Apply through the partner programme. You are issued a sandbox project first (build tier), and move to a live project once your integration is verified. Each project gets its own OAuth client and its own rate-limit bucket.
Are sandbox and live quotas shared?
No. Sandbox and live projects have independent token buckets, so load-testing against the sandbox never eats into your production allowance. Sandbox is fixed at the build tier regardless of your live tier.
Related reading

The Credicorp public API, end to end
The /public/v1 ring is Credicorp's unauthenticated, read-mostly surface — product figures, quotes, the…
Read →
OAuth 2.0 client credentials for partner/v1
Partner API calls authenticate with the OAuth 2.0 client-credentials grant. You exchange a client ID and…
Read →
Rate limiting across both rings
The public ring is metered at 60 requests per 60 seconds per IP. The partner ring uses a token bucket scoped…
Read →Funding for UK limited companies
Credicorp lends to your company, not to you personally — short-term working capital with no personal guarantee. See what your business could access.