Public API

Security model of the public ring

An unauthenticated ring can be secure — here is exactly how this one is. With no credential to lean on, the public ring stacks five defences: per-IP rate limiting, strict input validation, server-fixed response shapes, a hard no-PII boundary, and server-side HTML sanitisation. Together they let the platform accept traffic from the open internet safely.

2 min read

5 layersDefence in depth
no PIIHard boundary
sanitisedHTML cleaned

Rate limiting

60 requests per 60 seconds per IP caps abuse and keeps one caller from monopolising the ring. See rate limits.

Validation

Every input is bounded in type, length, key count and byte size, and mandatory gates like consent are enforced server-side. A bad request is a 422, not an action.

Fixed shapes

The server owns privileged fields. A caller cannot set an enquiry’s status or coax bank fields into a biller response — they are simply not settable.

PII boundary

No per-customer data crosses the ring, so there is nothing sensitive to leak even under a determined probe. See Privacy and PII.

Sanitisation

Served HTML (CMS pages) is sanitised before it leaves the hub, reducing injection risk; consumers should still escape at render time. See sanitisation.

Frequently asked questions

Is an unauthenticated API inherently insecure?

No. Security comes from controlling what can be read, written and abused. The public ring exposes only public data and safe submissions, and layers rate limiting, validation and a PII boundary on top.

What stops someone scraping the API?

The rate limit caps volume per IP, and there is no PII to scrape — responses are public vocabulary. Aggressive callers hit 429s.

Funding for UK limited companies

Credicorp lends to your company, not to you personally — short-term working capital with no personal guarantee. See what your business could access.