SDKs overview
Typed, batteries-included clients that wrap partner/v1. They take care of authentication, token caching, idempotency, retries with back-off and webhook verification — so the only code you write is the part unique to your integration.
Official libraries
Three first-party clients are published and supported by Credicorp. Each tracks the same API ring and exposes the same resources, so concepts and method names carry across languages.
| Library | Package | Min. runtime | Source |
|---|---|---|---|
| PHP | credicorp/credicorp-php | PHP 8.1+ | github.com/credicorp/credicorp-php |
| Node.js | @credicorp/sdk | Node 18+ | github.com/credicorp/credicorp-node |
| Python | credicorp | Python 3.9+ | github.com/credicorp/credicorp-python |
What the SDKs handle for you
The clients are not thin HTTP wrappers. They implement the operational concerns that every robust integration needs, the same way across each language:
- Authentication & token caching. You provide one secret key; the client performs the OAuth 2.0 client-credentials exchange, caches the resulting access token in memory, and refreshes it a little before expiry. You never touch
/oauth/tokendirectly. See OAuth 2.0. - Sandbox vs live routing. The environment is inferred from the key prefix —
sk_test_…hits the sandbox,sk_live_…hits production — so you cannot accidentally point test code at live money. - Idempotency. Every write call (
create,capture,withdraw) is sent with anIdempotency-Key. One is generated for you if you do not supply your own, making retries safe by construction. See Idempotency. - Retries with back-off. Transient
429and5xxresponses are retried automatically with exponential back-off and full jitter, honouringRetry-After. See Rate limits. - Pagination. List endpoints return lazy iterators that follow the cursor for you, so you can loop over every application or payment without managing
has_moreby hand. See Pagination. - Webhook verification. A one-line helper validates the
Credicorp-Signatureheader and parses the event into a typed object, rejecting forged or replayed deliveries. See Webhooks. - Typed models & errors. Applications, decisions, payments and accounts are real types, and API errors are raised as typed exceptions you can catch by class.
Auth, idempotency keys, token caching and retries are on by default. Reach for raw HTTP only when you need a capability the SDK does not yet expose.
The same call, three languages
Creating an application is identical in shape everywhere — build the body, call applications.create(), read back the handoff_url you redirect the applicant to.
use Credicorp\Credicorp; $cc = new Credicorp(getenv('CC_SECRET_KEY')); $app = $cc->applications->create([ 'business' => ['company_number' => '16093826'], 'amount_pence' => 2500000, 'term_months' => 12, ]); echo $app->handoff_url;
import { Credicorp } from '@credicorp/sdk'; const cc = new Credicorp(process.env.CC_SECRET_KEY); const app = await cc.applications.create({ business: { company_number: '16093826' }, amount_pence: 2500000, term_months: 12, }); console.log(app.handoff_url);
import os from credicorp import Credicorp cc = Credicorp(os.environ["CC_SECRET_KEY"]) app = cc.applications.create( business={"company_number": "16093826"}, amount_pence=2500000, term_months=12, ) print(app.handoff_url)
Configuration & environments
Configure every client the same way: provide a single secret key, ideally read from the environment, and let the library do the rest. Because the environment is inferred from the key prefix, the identical build artefact runs in test and in production with no code change — you only swap the key.
| Key prefix | Environment | Base URL |
|---|---|---|
sk_test_… | Sandbox | api.credicorp.co.uk/partner/v1 |
sk_live_… | Live | api.credicorp.co.uk/partner/v1 |
Beyond the key, each client accepts a small set of options — request timeout and a max_retries ceiling for the automatic back-off. Sensible defaults are baked in, so most integrations pass nothing but the key. Token acquisition is lazy: the OAuth client-credentials exchange happens on the first API call and the resulting access token is cached and refreshed transparently, so you never serialise a token or schedule a refresh job yourself.
A secret key is a bearer credential. Keep it server-side, load it from the environment or a secrets manager, and never ship it to a browser, mobile binary, or public repository. Rotate immediately from the dashboard if one leaks.
Versioning & support policy
SDKs follow semantic versioning and track the partner/v1 ring. The rules are deliberately boring so upgrades are predictable:
| Change | Bump | What it means |
|---|---|---|
| Backwards-compatible additions | minor | New endpoints, optional fields, new helpers. Safe to upgrade. |
| Bug fixes | patch | No API surface change. Always safe. |
| Breaking changes | major | Renamed or removed methods. Announced in advance. |
- New API fields are additive and ship in minor releases — pin a version range and upgrade on your own schedule.
- Breaking changes land only on a new major version and are announced first in the changelog.
- The current major of each SDK receives security and compatibility fixes for at least 12 months after the next major ships.
No SDK for your stack? The API is plain REST + JSON — the quickstart works with raw curl in any language, and every SDK method maps 1:1 to an endpoint in the API reference.
