Reference

POST /public/v1/enquiries

The public lead-intake endpoint: record one accepted enquiry, lead or complaint. Unauthenticated by design (anonymous leads are the point), fail-open, with its own anti-abuse.

2 min read

POSTHTTP method
NoneAuth
publicRing

Endpoint

MethodPOST
Path/public/v1/enquiries
Ringpublic (unauthenticated write)

Parameters

A JSON body describing the enquiry — contact details, message and the consent captured on the form. The exact fields mirror the marketing and help-centre request forms; a valid consent capture is required.

Response

A JSON acknowledgement that the enquiry was recorded (into the enquiries table). The endpoint is fail-open: it never blocks the visitor on a storage failure, and it returns no stored data back to the caller. The heavyweight anti-abuse stack — honeypot, time-trap, CSRF and edge cap — runs in the calling site's lead controller before anything reaches this endpoint; the handler adds its own per-IP rate limit, strict validation and consent requirement.

Errors

A 422 for missing required fields or missing consent. A 429 on rate-limit. The surface is intentionally forgiving on storage errors (fail-open) so a transient fault does not lose the visitor.

Frequently asked questions

Is this endpoint authenticated?

No — anonymous lead intake is the point. It is unauthenticated by design but carries its own per-IP rate limit, strict validation and a consent requirement, and the calling site runs honeypot/time-trap/CSRF checks before submitting.

Can I read enquiries back through this endpoint?

No. It is write-only from the public ring — it records a lead and acknowledges it, but never returns stored enquiries. Reading enquiries is a staff/internal capability, not a public one.

Funding for UK limited companies

Credicorp lends to your company, not to you personally — short-term working capital with no personal guarantee. See what your business could access.