2 min read
What "public ring" means
The Credicorp API is organised into rings by trust level. The /public/v1 ring is the outermost: anyone can call it, from any origin, with no API key and no OAuth token. That is by design — everything on this ring is either public information (products, tiers, published pages) or a submission that is safe to accept from the open internet under strict validation (an enquiry, a cookie-consent snapshot).
Inside the public ring sits the /internal/v1 ring, which requires an authenticated actor and carries the sensitive, per-customer operations. That ring is out of scope for a public integration; if you are reading these guides, the public ring is your surface.
What lives on the public ring
The full public surface is small and stable:
POST /public/v1/enquiries— submit a contact or department enquiry.POST /public/v1/consent— record a cookie-consent snapshot.GET /public/v1/loyalty/tiers— read the loyalty ladder.GET /public/v1/cms/pages/{key}— read a published CMS page.GET /public/v1/slice/billers— list Slice billers (flag-gated).POST /public/v1/support/chatplus the widget assets./public/v1/mcp— the read-only MCP server.
How it is protected
Without a credential, the ring leans on three defences. Rate limiting caps each IP at 60 requests per 60 seconds. Input validation is strict — every field is bounded in type, length and count, and a request that does not fit is rejected with a 422. And server-fixed response shapes mean a caller can never set privileged fields: an enquiry’s status is fixed to new, a biller response never contains bank fields, and so on.
What it never does
The public ring never authenticates a person, never returns per-customer PII, never makes a credit decision, and never moves money. Applications, offers, payments and account data all live behind authentication on the internal ring. If an integration needs any of those, it is not a public-ring integration — it is a partner or authenticated one, and belongs in the partner API reference.
Frequently asked questions
Do I need any credential to use the public ring?
No. There is no API key and no OAuth token on /public/v1. Protection comes from rate limiting, validation and fixed response shapes. If you need authenticated, per-customer data you are looking at the internal or partner surface instead.
Can I take a payment through the public ring?
No. Money movement, applications and credit decisions never appear on the public ring. It is strictly public reads plus a couple of safe submissions.
Where do the authenticated endpoints live?
On the internal ring (/internal/v1), which requires an authenticated actor, and — for partners — behind the partner API. See the partner API reference.
Funding for UK limited companies
Credicorp lends to your company, not to you personally — short-term working capital with no personal guarantee. See what your business could access.
