API reference

POST /public/v1/enquiries

POST /public/v1/enquiries records a public enquiry — the endpoint behind every contact form, department request and complaint intake on the Credicorp estate. It is unauthenticated, rate limited by IP, and returns 201 {id, status} on success. Consent is mandatory: the payload must carry fields.consent = "yes" or the request is rejected.

3 min read

201Created on success
consentfields.consent must be "yes"
16 KiBMax fields payload

What it does

This endpoint sits on the public /public/v1 ring — unauthenticated, anonymous and open to any caller. There is no API key and no OAuth token on this ring; the trust boundary is enforced by rate limiting, strict input validation and a server-fixed response shape rather than by a credential.

The enquiry endpoint accepts a completed public form and persists it as a new enquiry record with a server-fixed status of new. It then fans the enquiry out to the correct department inbox (for example [email protected] or [email protected]) on a best-effort basis. Mail dispatch is wrapped so that a mailer hiccup can never affect the recorded enquiry or the 201 you receive — the record is the source of truth, the email is a notification.

Request body

Send a JSON object with three top-level keys.

FieldTypeRequiredNotes
formstringYesForms-registry key. Lower-case slug, 1–64 chars, [a-z0-9_-] only. Identifies which form the submission came from.
deptstringNoRouting hint. One of support, payments, hardship, complaints. Omitted enquiries route to the general inbox.
fieldsobjectYesFlat object of the form answers. Up to 60 keys, values must be string/int/float/bool only, and the encoded object must be ≤16 KiB.

Two rules inside fields are enforced: if a fields.email value is present it must be a valid email address, and fields.consent must equal the string "yes". The consent gate is always required — it records that the visitor agreed to be contacted about their enquiry.

Example request

curl -sS -X POST \
  https://hub.credicorp.co.uk/public/v1/enquiries \
  -H 'Accept: application/json' \
  -H 'Content-Type: application/json' \
  -d '{"form":"contact-us","dept":"support","fields":{"name":"Jordan Ellis","email":"[email protected]","company":"Example Trading Ltd","message":"Please call me about a working-capital facility.","consent":"yes"}}'

Success response

A valid submission returns 201 Created with the new enquiry id and its server-set status.

{
  "id": "enq_9F3K2P",
  "status": "new"
}

The status is always new on creation — it is fixed by the server and cannot be set by the caller. Treat the id as an opaque reference you can quote in follow-up support.

Errors

Validation failures return 422 Unprocessable Entity with a machine-readable code — a missing form, an oversized fields object, a bad email, or a missing consent flag each map to their own code. Malformed JSON returns 400. Exceeding the IP window returns 429.

The public ring is rate limited to 60 requests per 60 seconds per IP as a fixed window. When you exceed it the API returns 429 Too Many Requests with a Retry-After header giving the number of seconds until the window resets. See Rate limits and 429 for the retry pattern, and Errors and status codes for the envelope.

Frequently asked questions

Do I need an API key to call this endpoint?

No. /public/v1/enquiries is on the unauthenticated public ring. It is protected by rate limiting, input validation and a mandatory consent flag rather than by a credential. See Authentication on the public ring.

What happens if my consent field is missing?

The request is rejected with a 422. fields.consent must equal the string "yes" on every submission — it is the record that the person agreed to be contacted, and there is no way to bypass it.

Is the confirmation email guaranteed?

No, and that is deliberate. The enquiry record and the 201 are the guarantee; the department email is best-effort and wrapped so a mail failure never blocks the record. If you need delivery certainty, poll your own systems rather than relying on the notification email.

Funding for UK limited companies

Credicorp lends to your company, not to you personally — short-term working capital with no personal guarantee. See what your business could access.