Credit Pull Engine API
An HTTP API that turns a consumer's identity into a normalized credit
report. One POST request, structured JSON, and
ready-to-share PDF / JSON / HTML reports — no
SDK to install.
Overview
The Credit Pull Engine (CPE) API turns a consumer's
identity into a normalized credit report. A single POST
to /pull (or /phone for SMS-authorized
pulls) routes the request through CPE's data network, normalizes the
response into the CPE Credit Report schema, optionally attaches the
proprietary CPE Score Forecast, persists report
files, and returns structured JSON together with shareable PDF, JSON,
and HTML report URLs.
CPE is a plain HTTP API — anything that can
speak application/x-www-form-urlencoded POSTs (curl,
Postman, any language's HTTP library) can integrate.
About the API
| Trait | Value |
|---|---|
| Architecture | RESTful HTTP, JSON responses |
| Auth | API key (apikey form field or query string) |
| Request encoding | application/x-www-form-urlencoded |
| Response encoding | application/json (JSONP optional via ?callback=) |
| Data sourcing | Proprietary aggregation from multiple consumer-credit sources |
| Phone identity | Proprietary phone-identity lookup |
| SMS | Proprietary SMS authorization channel |
| Versioning | Path-based; current contract is v1 (implicit, no /v1/ prefix) |
Who It's For
- Lenders, debt agencies, mortgage brokers, tenant-screening companies — anyone with an FCRA permissible purpose who needs structured consumer credit data.
- Software platforms / SaaS embedding credit pulls in their workflows (CRM, loan origination, BNPL underwriting, debt-settlement tools).
- AI agent builders (via the CPE MCP server — see AI Agents) who want to give Claude Code, Cursor, the Anthropic Agent SDK, or any MCP-capable client the ability to pull a credit report without exposing PII to the model.
Sign Up for the Sandbox
- Request sandbox access at
sandbox.creditpullengine.com(or contact your CPE account manager). - You receive:
- A sandbox API key (format
XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX, dash-separated hex). - An organization ID (
orgid) provisioned in the sandbox environment.
- A sandbox API key (format
- The sandbox routes through test-mode upstream data sources — no live consumer data is ever touched, so you can integrate freely without billable or reportable activity.
- Once integration is green, your account manager promotes the org to production (
api.creditpullengine.com).
API key safety. The key authenticates and
incurs cost — treat it as a secret. Every example in these docs
uses YOUR_API_KEY as a placeholder. Never commit a real
key to source control or expose it in browser-side code.
Quickstart
Send a POST to /pull with the applicant's
identity fields. The example on the right pulls a report and returns
the normalized result — swap YOUR_API_KEY for the
key issued to your organization.
A successful pull returns "status": "completed", the
normalized credit data, and a files block with links to
the PDF, JSON, and HTML versions of the report. See
Response Schema for
every field.
Authentication
Every request is authenticated by an API key, sent as either:
- A form field on
POSTrequests:-d apikey=YOUR_API_KEY, or - A query-string parameter:
?apikey=YOUR_API_KEY
There is no separate Authorization header on the public
API. The key resolves to your organization and the upstream
credentials, entitlements, and configuration CPE uses on your behalf.
| Key state | HTTP behavior |
|---|---|
| Valid | Request proceeds; an audit row is recorded server-side. |
| Missing or unknown | Response: {"code":"401","msg":"Unauthorized: Api Invalid"}; the rejected request is also audited. |
An optional second-layer header is available for hardened deployments — your CPE account manager will provide it if your integration requires it.
Environments & Base URLs
| Environment | Base URL | Mode |
|---|---|---|
| Sandbox examples use this | https://sandbox.creditpullengine.com |
Test data, non-billable, safe for integration |
| Production | https://api.creditpullengine.com |
Live data, billable, FCRA-compliant pulls |
A plain GET on the base URL is a health check that
returns {"code":200,"message":"hello word."}.
Request & Response Format
Requests
All endpoints accept POST with
Content-Type: application/x-www-form-urlencoded.
Parameters are sent as form fields, not JSON — this matches what
curl -d sends by default.
Responses
Always JSON, in one of two shapes:
- Success — carries
"status": "completed"plus the normalized report. - Error — carries
code+error/msgand, where relevant, amessagearray.
JSONP
Pass ?callback=myFn to wrap the JSON in a JavaScript
function call for legacy browser integrations.
Errors at a Glance
| HTTP code | When |
|---|---|
200 | Request succeeded. Look at the JSON body's status (success) or code (error envelope wrapped in 200). |
401 | Missing/invalid apikey. Body: {"code":"401","msg":"Unauthorized: Api Invalid"}. |
402 | Missing or invalid parameters — see the message array for the per-field reason. |
403 | Phone-flow authorization errors (/phone): bad token, expired, wrong code. |
404 | Report not found (on /getreport/* and /getprofile/*). |
500 | Server-side failure. CPE logs and monitors these; retry the request, and contact support if it persists. |
See API Reference → Error Responses for the canonical list of error shapes.
Support
- Sandbox onboarding & key issuance: contact your CPE account manager.
- API contract bug reports: open a ticket via the developer portal at
sandbox.creditpullengine.com. - Upstream-data issues (no-hit, match-quality failures, security freezes): these originate at the underlying data source. The CPE response surfaces a normalized
reportStatus.codeso you can act on it consistently regardless of source. See Glossary → Hit Response Codes.