Public API

The public /public/v1 ring, explained

The /public/v1 ring is the unauthenticated, anonymous surface of the Credicorp API. It exposes exactly the things a website, widget or AI agent can safely read or submit without a login — product data, the loyalty ladder, published CMS copy, enquiry submission, cookie consent, the support widget and a read-only MCP server. It is protected by rate limiting and strict validation rather than by a credential, and it deliberately never touches money, accounts or credit decisions.

2 min read

no authNo key, no token
60 / 60 sPer-IP rate limit
read/submitNever moves money

What "public ring" means

The Credicorp API is organised into rings by trust level. The /public/v1 ring is the outermost: anyone can call it, from any origin, with no API key and no OAuth token. That is by design — everything on this ring is either public information (products, tiers, published pages) or a submission that is safe to accept from the open internet under strict validation (an enquiry, a cookie-consent snapshot).

Inside the public ring sits the /internal/v1 ring, which requires an authenticated actor and carries the sensitive, per-customer operations. That ring is out of scope for a public integration; if you are reading these guides, the public ring is your surface.

What lives on the public ring

The full public surface is small and stable:

How it is protected

Without a credential, the ring leans on three defences. Rate limiting caps each IP at 60 requests per 60 seconds. Input validation is strict — every field is bounded in type, length and count, and a request that does not fit is rejected with a 422. And server-fixed response shapes mean a caller can never set privileged fields: an enquiry’s status is fixed to new, a biller response never contains bank fields, and so on.

What it never does

The public ring never authenticates a person, never returns per-customer PII, never makes a credit decision, and never moves money. Applications, offers, payments and account data all live behind authentication on the internal ring. If an integration needs any of those, it is not a public-ring integration — it is a partner or authenticated one, and belongs in the partner API reference.

Frequently asked questions

Do I need any credential to use the public ring?

No. There is no API key and no OAuth token on /public/v1. Protection comes from rate limiting, validation and fixed response shapes. If you need authenticated, per-customer data you are looking at the internal or partner surface instead.

Can I take a payment through the public ring?

No. Money movement, applications and credit decisions never appear on the public ring. It is strictly public reads plus a couple of safe submissions.

Where do the authenticated endpoints live?

On the internal ring (/internal/v1), which requires an authenticated actor, and — for partners — behind the partner API. See the partner API reference.

Funding for UK limited companies

Credicorp lends to your company, not to you personally — short-term working capital with no personal guarantee. See what your business could access.