Quickstart

Quickstart: call the public API from the browser safely

The public ring sends permissive CORS headers for read endpoints, so you can call it straight from the browser. That is perfect for a client-side product picker or calculator — but partner keys and any write that matters belong on your server, never in code the user can view.

2 min read

CORSPublic reads allowed
no keysNever ship secrets to the browser
readsCatalogue, pricing, quotes

Fetch from the page

// Runs safely in the browser — read-only, no secrets
const res = await fetch('https://api.credicorp.co.uk/public/v1/products');
const { data } = await res.json();
renderProductPicker(data);

Because these endpoints need no auth, there is nothing secret to leak. Product data, pricing and quotes are all safe to fetch client-side.

The line you must not cross

The partner ring uses OAuth2 client secrets. If a secret reaches the browser it is compromised the moment the page loads. Proxy any authenticated call through your own backend and keep credentials server-side. This is the single most important rule when moving from public reads to partner writes.

Frequently asked questions

Will CORS block me?

Not for public read endpoints — they send the headers a browser needs. If you see a CORS error, you are almost certainly calling an authenticated endpoint that isn't meant for the browser.

Can I submit an enquiry from the browser?

You can, but validate and rate-limit on your own backend and add an idempotency key. For anything with a secret, always go through your server.

Funding for UK limited companies

Credicorp lends to your company, not to you personally — short-term working capital with no personal guarantee. See what your business could access.