2 min read
Fetch from the page
// Runs safely in the browser — read-only, no secrets
const res = await fetch('https://api.credicorp.co.uk/public/v1/products');
const { data } = await res.json();
renderProductPicker(data);Because these endpoints need no auth, there is nothing secret to leak. Product data, pricing and quotes are all safe to fetch client-side.
The line you must not cross
The partner ring uses OAuth2 client secrets. If a secret reaches the browser it is compromised the moment the page loads. Proxy any authenticated call through your own backend and keep credentials server-side. This is the single most important rule when moving from public reads to partner writes.
Frequently asked questions
Will CORS block me?
Not for public read endpoints — they send the headers a browser needs. If you see a CORS error, you are almost certainly calling an authenticated endpoint that isn't meant for the browser.
Can I submit an enquiry from the browser?
You can, but validate and rate-limit on your own backend and add an idempotency key. For anything with a secret, always go through your server.
Related reading

Quickstart: call the Credicorp public API from Node.js
Node 18+ ships a global fetch, so you can call the Credicorp public API with zero dependencies. This…
Read →
Quickstart: set the right request headers for the public API
A handful of request headers make the difference between a clean integration and a flaky one. Always send…
Read →
Quickstart: handle Credicorp API error responses
Every Credicorp API error uses the same envelope: { error: { type, code, message, request_id } }. Branch on…
Read →
Quickstart: embed a product picker with the public API
A product picker is the simplest high-value embed: fetch the catalogue, render options, link to apply…
Read →Funding for UK limited companies
Credicorp lends to your company, not to you personally — short-term working capital with no personal guarantee. See what your business could access.