{ "openapi": "3.1.0", "info": { "title": "Credicorp public API", "version": "1.0.0", "description": "Public, no-authentication API surface for the Credicorp marketing site. Currently exposes the KB-bounded public \"Credi\" assistant and a health probe.", "contact": { "name": "Credicorp Limited", "url": "https://credicorp.co.uk/contact/" } }, "servers": [ { "url": "https://credicorp.co.uk" } ], "paths": { "/api/credi/public": { "post": { "operationId": "askCredi", "summary": "Ask the public Credi assistant a general question about Credicorp business lending.", "description": "KB-bounded assistant. Answers general questions about products, eligibility and costs. It cannot see or act on any account; account-specific questions return a sign-in handoff. CSRF-protected (double-submit cc_csrf cookie + matching token) and rate-limited.", "requestBody": { "required": true, "content": { "application/json": { "schema": { "type": "object", "required": [ "message" ], "properties": { "message": { "type": "string", "maxLength": 500, "description": "The visitor question (max 500 characters)." } } } } } }, "responses": { "200": { "description": "An answer (or a sign-in handoff for account-specific questions).", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/CrediAnswer" } } } }, "403": { "description": "Invalid or missing CSRF token." }, "422": { "description": "Empty message or message longer than 500 characters." }, "429": { "description": "Rate limit exceeded \u2014 try again shortly." } } } }, "/healthz": { "get": { "operationId": "health", "summary": "Liveness/readiness probe for the marketing app.", "responses": { "200": { "description": "The app is up.", "content": { "application/json": { "schema": { "type": "object", "properties": { "status": { "type": "string", "example": "ok" } } } } } } } } }, "/mcp": { "post": { "operationId": "mcpRpc", "summary": "Public MCP (Model Context Protocol) transport \u2014 JSON-RPC 2.0 over HTTP.", "description": "Unauthenticated, read-only MCP server (initialize, tools/list, tools/call). Reverse-proxied to the Credicorp hub public MCP ring. See https://credicorp.co.uk/.well-known/mcp/server-card.json for the capability surface.", "responses": { "200": { "description": "JSON-RPC 2.0 response from the MCP server." } } }, "get": { "operationId": "mcpServerCardProbe", "summary": "MCP server-card probe.", "responses": { "200": { "description": "MCP server identity / capability probe." } } } }, "/partner/mcp": { "post": { "operationId": "partnerMcpRpc", "summary": "Authenticated, read-only MCP transport (OAuth 2.0 bearer token required).", "description": "Staff/owner read-only MCP tier. Requires a client_credentials bearer token from https://credicorp.co.uk/oauth/token. Reverse-proxied to the hub partner MCP. See https://credicorp.co.uk/.well-known/oauth-protected-resource.", "security": [ { "oauth2ClientCredentials": [] } ], "responses": { "200": { "description": "JSON-RPC 2.0 response from the authenticated MCP server." }, "401": { "description": "Missing or invalid bearer token." } } }, "get": { "operationId": "partnerMcpProbe", "summary": "Authenticated MCP server-card probe.", "security": [ { "oauth2ClientCredentials": [] } ], "responses": { "200": { "description": "Authenticated MCP capability probe." } } } }, "/oauth/token": { "post": { "operationId": "oauthToken", "summary": "OAuth 2.0 token endpoint (client_credentials grant).", "description": "Exchange client_credentials (client_secret_basic or client_secret_post) for a short-lived read-only bearer access token. Reverse-proxied to the hub OAuth plane.", "responses": { "200": { "description": "Access token response (RFC 6749)." }, "400": { "description": "Invalid request / grant." }, "401": { "description": "Invalid client authentication." } } } }, "/oauth/jwks": { "get": { "operationId": "oauthJwks", "summary": "JSON Web Key Set for verifying access tokens (RFC 7517).", "responses": { "200": { "description": "The public JWKS document." } } } }, "/oauth/introspect": { "post": { "operationId": "oauthIntrospect", "summary": "OAuth 2.0 token introspection (RFC 7662).", "description": "Client-authenticated introspection of an access token. Reverse-proxied to the hub.", "responses": { "200": { "description": "Introspection response (RFC 7662)." }, "401": { "description": "Invalid client authentication." } } } } }, "components": { "securitySchemes": { "oauth2ClientCredentials": { "type": "oauth2", "flows": { "clientCredentials": { "tokenUrl": "https://credicorp.co.uk/oauth/token", "scopes": { "mcp:read": "Read-only access to the authenticated MCP tools.", "applications:read": "Read application records.", "customers:read": "Read customer/loan summaries.", "loans:read": "Read loan records.", "ops:read": "Read ops-queue status.", "decisioning:read": "Read the decisioning explainer.", "metrics:read": "Read platform metrics.", "config:read": "Read platform config." } } } } }, "schemas": { "CrediAnswer": { "type": "object", "required": [ "ok" ], "properties": { "ok": { "type": "boolean" }, "answer": { "type": "string", "description": "Sanitised HTML answer." }, "handoff": { "type": "boolean", "description": "Present and true when the user should sign in for account-specific help." }, "error": { "type": "string", "description": "Present on a non-ok response." } } } } } }