API reference

Register a webhook endpoint

A webhook endpoint is the HTTPS URL Credicorp POSTs events to. You register one per integration, choose which event types it subscribes to, and receive a signing secret used to verify every delivery. An endpoint must be HTTPS, must answer on the public internet, and must return a <code>2xx</code> to acknowledge receipt.

2 min read

HTTPS onlyEndpoint requirement
whsec_…Signing secret prefix
≤20 endpointsPer partner account

The endpoint object

An endpoint is described by this object. The secret is returned once at creation and never again — store it immediately.

{
  "id": "whend_3T8K1",
  "url": "https://api.your-app.example/credicorp/webhooks",
  "enabled_events": [
    "enquiry.created",
    "decision.completed",
    "payment.succeeded"
  ],
  "status": "enabled",
  "secret": "whsec_a1b2c3\u2026",
  "created": "2026-07-04T09:00:00Z"
}

Choosing events

Set enabled_events to the specific types you handle, or ["*"] to receive everything. Subscribing narrowly reduces traffic and keeps your handler simple. The full list is in the event catalogue.

Rotating the secret

Rotate the signing secret if it may have leaked. Rotation issues a new secret while keeping the old one valid for a 24-hour overlap, so in-flight deliveries never fail. Verify against both secrets during the window — see Rotate a webhook signing secret.

Limits

Up to 20 endpoints per partner account, each subscribing to any subset of events. An endpoint that returns non-2xx for 7 consecutive days is automatically disabled and must be re-enabled manually.

Frequently asked questions

Can I register an http:// (non-TLS) URL?

No. Endpoints must be HTTPS with a valid certificate. Webhook bodies carry event data, and the signature protects integrity but not confidentiality, so transport encryption is mandatory.

Where do I find my signing secret later?

You cannot retrieve it after creation — it is shown once. If you have lost it, rotate the secret to issue a new one.

What disables an endpoint automatically?

Seven consecutive days of failed deliveries. Re-enable it once your endpoint is healthy; queued events within the 72-hour retention are then delivered.

Funding for UK limited companies

Credicorp lends to your company, not to you personally — short-term working capital with no personal guarantee. See what your business could access.