Public API

The Credicorp public API, end to end

The /public/v1 ring is Credicorp's unauthenticated, read-mostly surface — product figures, quotes, the loyalty ladder, an MCP server and a lead-intake endpoint. No token, no customer data, safe to cache.

2 min read

No tokenFor the read endpoints
60 / 60sRequests per IP
JSON, UTF-8Response format

What the public ring is for

The public ring exposes the same published figures Credicorp uses on its own marketing estate — the product catalogue, representative quotes, pricing config and the loyalty tier ladder — over plain HTTP. Because everything it returns is already public, there is no authentication on the read endpoints and no customer data anywhere in the surface. It is the right layer for comparison sites, AI agents and anyone who wants to render an accurate Credicorp quote without holding a partner credential.

The base URL is https://hub.credicorp.co.uk/public/v1. Responses are application/json in UTF-8, and monetary amounts are labelled with their unit in the payload so you never have to guess pounds versus pence. A companion MCP server exposes the same product, pricing and quote data over JSON-RPC 2.0 for tool-callable clients.

Public ring versus partner ring

Do not confuse /public/v1 with /partner/v1. The public ring is unauthenticated and read-mostly; the partner ring is token-gated and is where you take applications, read decisions and move money. If a capability touches a customer, a decision or a payment, it lives on partner/v1 behind OAuth 2.0 client credentials. If it only returns published figures, it lives here.

Two public endpoints accept writes — POST /public/v1/enquiries (lead intake) and POST /public/v1/consent (PECR cookie consent) — but both are fail-open, carry their own anti-abuse checks, and never expose stored data back to the caller.

Rate limiting on the public ring

Every public endpoint is metered at 60 requests per 60 seconds per IP. Limits are evaluated at the edge before a request reaches application code, so a throttled call never touches decisioning or the rails. When you exceed the window you receive a 429; back off and retry. If you need higher, sustained throughput or write capabilities, you want a partner project, whose token-bucket quotas scale with your tier.

Frequently asked questions

Do I need an API key to call the public endpoints?

No. The read endpoints on /public/v1 are unauthenticated by design — they publish figures that are already public. You only need a credential for the token-gated partner/v1 API, which takes applications, reads decisions and moves money.

Is there a sandbox for the public ring?

No. The public ring only ever returns published, non-sensitive data, so there is nothing to sandbox. The sandbox environment applies to partner/v1. See sandbox and environments.

Funding for UK limited companies

Credicorp lends to your company, not to you personally — short-term working capital with no personal guarantee. See what your business could access.