Get Started

Credit Pull Engine API

An HTTP API that turns a consumer's identity into a normalized credit report. One POST request, structured JSON, and ready-to-share PDF / JSON / HTML reports — no SDK to install.

Overview

The Credit Pull Engine (CPE) API turns a consumer's identity into a normalized credit report. A single POST to /pull (or /phone for SMS-authorized pulls) routes the request through CPE's data network, normalizes the response into the CPE Credit Report schema, optionally attaches the proprietary CPE Score Forecast, persists report files, and returns structured JSON together with shareable PDF, JSON, and HTML report URLs.

CPE is a plain HTTP API — anything that can speak application/x-www-form-urlencoded POSTs (curl, Postman, any language's HTTP library) can integrate.

About the API

TraitValue
ArchitectureRESTful HTTP, JSON responses
AuthAPI key (apikey form field or query string)
Request encodingapplication/x-www-form-urlencoded
Response encodingapplication/json (JSONP optional via ?callback=)
Data sourcingProprietary aggregation from multiple consumer-credit sources
Phone identityProprietary phone-identity lookup
SMSProprietary SMS authorization channel
VersioningPath-based; current contract is v1 (implicit, no /v1/ prefix)

Who It's For

  • Lenders, debt agencies, mortgage brokers, tenant-screening companies — anyone with an FCRA permissible purpose who needs structured consumer credit data.
  • Software platforms / SaaS embedding credit pulls in their workflows (CRM, loan origination, BNPL underwriting, debt-settlement tools).
  • AI agent builders (via the CPE MCP server — see AI Agents) who want to give Claude Code, Cursor, the Anthropic Agent SDK, or any MCP-capable client the ability to pull a credit report without exposing PII to the model.

Sign Up for the Sandbox

  1. Request sandbox access at sandbox.creditpullengine.com (or contact your CPE account manager).
  2. You receive:
    • A sandbox API key (format XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX, dash-separated hex).
    • An organization ID (orgid) provisioned in the sandbox environment.
  3. The sandbox routes through test-mode upstream data sources — no live consumer data is ever touched, so you can integrate freely without billable or reportable activity.
  4. Once integration is green, your account manager promotes the org to production (api.creditpullengine.com).

API key safety. The key authenticates and incurs cost — treat it as a secret. Every example in these docs uses YOUR_API_KEY as a placeholder. Never commit a real key to source control or expose it in browser-side code.

Quickstart

Send a POST to /pull with the applicant's identity fields. The example on the right pulls a report and returns the normalized result — swap YOUR_API_KEY for the key issued to your organization.

A successful pull returns "status": "completed", the normalized credit data, and a files block with links to the PDF, JSON, and HTML versions of the report. See Response Schema for every field.

Authentication

Every request is authenticated by an API key, sent as either:

  • A form field on POST requests: -d apikey=YOUR_API_KEY, or
  • A query-string parameter: ?apikey=YOUR_API_KEY

There is no separate Authorization header on the public API. The key resolves to your organization and the upstream credentials, entitlements, and configuration CPE uses on your behalf.

Key stateHTTP behavior
ValidRequest proceeds; an audit row is recorded server-side.
Missing or unknownResponse: {"code":"401","msg":"Unauthorized: Api Invalid"}; the rejected request is also audited.

An optional second-layer header is available for hardened deployments — your CPE account manager will provide it if your integration requires it.

Environments & Base URLs

EnvironmentBase URLMode
Sandbox examples use this https://sandbox.creditpullengine.com Test data, non-billable, safe for integration
Production https://api.creditpullengine.com Live data, billable, FCRA-compliant pulls

A plain GET on the base URL is a health check that returns {"code":200,"message":"hello word."}.

Request & Response Format

Requests

All endpoints accept POST with Content-Type: application/x-www-form-urlencoded. Parameters are sent as form fields, not JSON — this matches what curl -d sends by default.

Responses

Always JSON, in one of two shapes:

  • Success — carries "status": "completed" plus the normalized report.
  • Error — carries code + error/msg and, where relevant, a message array.

JSONP

Pass ?callback=myFn to wrap the JSON in a JavaScript function call for legacy browser integrations.

Errors at a Glance

HTTP codeWhen
200Request succeeded. Look at the JSON body's status (success) or code (error envelope wrapped in 200).
401Missing/invalid apikey. Body: {"code":"401","msg":"Unauthorized: Api Invalid"}.
402Missing or invalid parameters — see the message array for the per-field reason.
403Phone-flow authorization errors (/phone): bad token, expired, wrong code.
404Report not found (on /getreport/* and /getprofile/*).
500Server-side failure. CPE logs and monitors these; retry the request, and contact support if it persists.

See API Reference → Error Responses for the canonical list of error shapes.

Support

  • Sandbox onboarding & key issuance: contact your CPE account manager.
  • API contract bug reports: open a ticket via the developer portal at sandbox.creditpullengine.com.
  • Upstream-data issues (no-hit, match-quality failures, security freezes): these originate at the underlying data source. The CPE response surfaces a normalized reportStatus.code so you can act on it consistently regardless of source. See Glossary → Hit Response Codes.