API reference

GET /public/v1/cms/pages/{key}

GET /public/v1/cms/pages/{key} reads a published CMS page by its stable key. It returns the sanitised, ready-to-render content block for a marketing or help page, so a headless front end can pull copy from the hub without a login. Only published content is exposed; drafts are never served here.

2 min read

publishedDrafts are never returned
sanitisedHTML is server-cleaned
{key}Stable page identifier

What it does

This endpoint sits on the public /public/v1 ring — unauthenticated, anonymous and open to any caller. There is no API key and no OAuth token on this ring; the trust boundary is enforced by rate limiting, strict input validation and a server-fixed response shape rather than by a credential.

The CMS read endpoint serves one published page block identified by a stable {key} in the path. The HTML is sanitised on the server before it leaves the hub, so a consumer can render it directly. Because only published content is exposed, you can safely point a public front end at this endpoint without leaking work-in-progress.

Path parameter

FieldTypeRequiredNotes
keystring (path)YesThe stable page key, e.g. responsible-lending. Lower-case slug. Unknown or unpublished keys return 404.

Example request

curl -sS -X GET \
  https://hub.credicorp.co.uk/public/v1/cms/pages/responsible-lending \
  -H 'Accept: application/json'

Response

{
  "key": "responsible-lending",
  "title": "Responsible lending",
  "html": "

\u2026sanitised page HTML\u2026

", "updated": "2026-06-30T09:00:00Z" }

A missing or unpublished key returns 404 Not Found with the standard error envelope.

Frequently asked questions

Can I read draft pages through this endpoint?

No. Only published pages are exposed on the public ring. An unpublished key returns 404 exactly as a non-existent key would, so drafts are indistinguishable from missing pages to an unauthenticated caller.

Is the HTML safe to inject into my page?

The content is sanitised server-side before it is returned, which removes disallowed markup. As always, apply your own framework’s escaping/injection rules at render time as defence in depth.

How should I cache CMS pages?

Published copy changes infrequently, so a short shared cache keyed on the page key and its updated timestamp works well. See Caching public-API responses.

Funding for UK limited companies

Credicorp lends to your company, not to you personally — short-term working capital with no personal guarantee. See what your business could access.