Public API

Webhooks explained

A webhook is an HTTP callback Credicorp sends to your server when something happens — an enquiry is received, a decision is reached, a payment settles. Instead of polling the API on a timer, you register one HTTPS endpoint and we push a signed JSON event to it as events occur. Delivery is at-least-once, every request carries an HMAC-SHA256 signature, and failed deliveries are retried on exponential backoff for up to 72 hours.

2 min read

HTTPS POSTHow events arrive
At-least-onceDelivery guarantee
HMAC-SHA256Signature algorithm

Why webhooks

Polling wastes both sides’ resources and adds latency: you either poll too often (and hit the rate limit) or too rarely (and learn about a decision minutes late). A webhook inverts the flow. You tell Credicorp where to reach you once, and we deliver each event within seconds of it happening.

Webhooks are delivered from the Credicorp platform to your HTTPS endpoint. Unlike the read-only /public/v1 ring, a webhook is an outbound push: Credicorp is the client and your server is the origin. Every request is signed so you can prove it came from us — see Webhook signature verification.

The event shape

Every webhook body is a JSON event envelope with a stable outer shape and a typed data payload. The envelope is identical across all event types, so one handler can route on type.

{
  "id": "evt_7Q2M9X",
  "type": "enquiry.created",
  "created": "2026-07-04T09:15:22Z",
  "livemode": true,
  "api_version": "2026-07-01",
  "data": {
    "object": {
      "id": "enq_9F3K2P",
      "form": "contact-us",
      "dept": "support",
      "status": "new"
    }
  }
}

See the event envelope reference for every field, and the event catalogue for the full list of type values.

What you must do

  1. Register an endpoint — a public HTTPS URL. See Register a webhook endpoint.
  2. Verify the signature on every request before trusting the body. See signature verification.
  3. Return 2xx fast — acknowledge receipt, then do the real work asynchronously. See delivery and retries.
  4. Be idempotent — the same event may arrive more than once. See idempotency.

Frequently asked questions

Are webhooks part of the public /public/v1 ring?

Registration is a partner-plane action, but the concept mirrors the public ring: signed, versioned, at-least-once. The read APIs on the public ring are pull; webhooks are push.

How quickly are events delivered?

The first delivery attempt is made within a few seconds of the event occurring. If your endpoint is slow or down, the event is retried on backoff for up to 72 hours.

Can I use webhooks without writing a server?

No — a webhook needs a reachable HTTPS endpoint to receive the POST. If you cannot host one, poll the relevant read endpoint on the public ring instead.

Funding for UK limited companies

Credicorp lends to your company, not to you personally — short-term working capital with no personal guarantee. See what your business could access.