Credit Reports
Every endpoint that produces a report returns the same vendor-neutral CPE Credit Report shape. Code against it once and never think about which upstream source serviced the request.
About Credit Reports
A CPE Credit Report is a single, stable,
vendor-neutral JSON document describing a consumer's credit profile.
CPE aggregates and normalizes consumer credit data from multiple
upstream sources — including national credit bureaus —
into one consistent shape. The same shape is returned by
/pull, /phone,
/getreport/json/{id}, and
/getprofile/json/{profileid}.
A pull is the act of:
- Authenticating the caller (
apikey). - Resolving the caller's organization and entitlements.
- Routing the request to the appropriate upstream source(s) based on the inputs you provided.
- Normalizing the source response(s) into the CPE Credit Report schema.
- Optionally attaching the CPE Score Forecast (when your organization is entitled).
- Filtering tradelines by your organization's configured categories (when set).
- Persisting the normalized report and generating shareable PDF / JSON / HTML URLs.
- Returning the result.
Pull a Credit Report
Send the applicant's identity fields. The minimum required
set is fname, lname,
dob, city, and state —
every other field, including ssn and
address, is optional. CPE picks the optimal upstream
request automatically based on what you provide.
Parameters
| Field | Type | Required | Description |
|---|---|---|---|
apikey | string | required | Your organization's API key. |
fname | string | required | Consumer's first name. |
lname | string | required | Consumer's last name. |
dob | string | required | Date of birth. Accepts YYYY-MM-DD, MM/DD/YYYY, or MMDDYYYY. |
city | string | required | City. |
state | string | required | Two-letter state code. |
ssn | string | optional | 9-digit SSN. Non-digit characters stripped; X mask chars preserved for partial-SSN pulls. |
address | string | optional | Street address. |
zip | string | optional | ZIP code. |
ssn_last4 | string | optional | Last 4 SSN digits. Kept on the pull record for your reconciliation; never used as a match key. |
phone | string | optional | Consumer phone. Stored on the pull record. |
callback | string | optional | JSONP callback function name. |
Tip. Always send everything you have. CPE never penalizes you for sending an extra field — more data simply means a higher-confidence match.
How CPE uses your inputs
CPE inspects your inputs and automatically routes the request through the strongest-match path within its upstream data network. There is no setting to flip on your side — the routing happens server-side:
- When an SSN is present, CPE uses the SSN as the primary match anchor.
- When there is no SSN but a street address is present, CPE uses the address as the match anchor.
- When only name + DOB + city/state are present, CPE matches on identity alone — the narrowest match window, but valid; it may return a thin file (
reportStatus.code = "8").
The internal path that ran is echoed back in metadata.path
for debugging / observability — it is not a value you set on the
request.
Required fields at a glance
| Field | Required? |
|---|---|
fname, lname, dob, city, state | Always. This is the minimum viable pull. |
ssn | Optional. Sending it produces the highest-confidence match. |
address, zip | Optional. Sending them strengthens the match when SSN is absent. |
If any of the five minimum fields are missing, the request returns
402 Missing Parameters naming the missing fields.
Phone (Mobile) Method
Pull a credit report when all you have is the consumer's phone number
and date of birth. Two endpoints, both under /phone. The
general-purpose /pull endpoint is untouched
— phone-driven pulls live entirely under /phone.
Step 1 — Authorize
Resolve the phone via the CPE phone-identity lookup, audit the lookup,
SMS a 4-digit code to the consumer, and return an opaque
auth_token.
| Field | Type | Required | Description |
|---|---|---|---|
apikey | string | required | Your organization's API key. |
phone | string | required | 10-digit US phone number (non-digits stripped, no +1 needed). |
dob | string | required | Consumer DOB. Stashed for the pull — it is the primary match discriminator. |
zip | string | optional | 5-digit ZIP. Cross-checked against the looked-up address; result is reported but never blocks the flow. |
test | boolean | optional | Sandbox only. true/1/yes swaps the lookup for a fixed sandbox test consumer (XWKDAAZC IQTPE / CHESTER, TX). SMS still goes to the phone you provided. Silently ignored in production. |
Authorize response fields
| Field | Type | Description |
|---|---|---|
auth_token | string | Opaque encrypted token. Pass to /phone in step 2. |
expires_in | number | Seconds the token+code remain valid (default 600 = 10 min). |
zip_match | boolean | null | true/false when you supplied a zip; null otherwise. Informational only. |
test_mode | boolean | true when a built-in test-phone shortcut was hit. |
debug | object | Sandbox only. Diagnostics block. Absent in production. |
debug_code | string | Sandbox + skip-SMS only. Legacy alias for debug.code. |
Sandbox test-phone shortcuts.
5615551234 — no phone-identity lookup, no SMS dispatch, fixed sandbox identity XWKDAAZC IQTPE / CHESTER, TX 75936, DOB forced to 07/14/1985, debug_code returned in the response. Ideal for fully automated tests.
test=true flag — any phone, real SMS to your number, fixed sandbox test-consumer identity. DOB overridden to 07/14/1985 so the pull returns a real test report. Ideal for end-to-end SMS-delivery testing.
Step 2 — Pull
Consume the token (verify the code, or accept a webhook-confirmed status) and pull the credit report.
| Field | Type | Required | Description |
|---|---|---|---|
apikey | string | required | Your organization's API key. |
auth_token | string | required | Token from /phone/authorize. |
code | string | conditional | 4-digit SMS code. Required unless the consumer already authorized via SMS reply (YES/Y/OK/CONFIRM), in which case the token is already confirmed and code may be omitted. |
You do not send dob, fname,
lname, city, state,
address, ssn, or zip — they
were captured at /phone/authorize and ride along with the
token. The token is bound to the identity captured at authorization
time, so re-authorizing the same phone with a different identity cannot
poison an earlier token.
Response. Identical shape to every other pull response
(see Response Schema). The only
phone-specific field is metadata.path = "phone".
Phone-flow errors
HTTP / code | Endpoint | Cause |
|---|---|---|
401 | both | apikey missing or unrecognized. |
402 Missing Parameters | /phone/authorize | phone not 10 digits, dob missing, or zip not 5 digits when provided. |
402 Phone has no associated owner | /phone/authorize | The phone-identity lookup returned no owner. |
402 SMS dispatch failed | /phone/authorize | The SMS gateway rejected the send. |
402 Phone lookup failed | /phone/authorize | The phone-identity lookup was unreachable or errored. Retry safely — no state changed. |
403 auth_token is required | /phone | auth_token missing. |
403 Invalid or expired authorization token | /phone | Token doesn't decode, doesn't exist, or belongs to a different org. |
403 That code is incorrect or has expired | /phone | code didn't match the row's pending code. |
403 Authorization has expired | /phone | 10-minute TTL elapsed. Re-call /phone/authorize. |
403 A verification code is required | /phone | Token still pending (no SMS YES reply) and code not supplied. |
Repull & Caching
CPE deduplicates pulls to avoid double-charging:
- Each pull is fingerprinted by the consumer's stable
profileid— a one-way identifier derived from name + DOB + city/state. SSN is intentionally excluded so the same consumer dedupes across SSN-bearing and SSN-less pulls. - If you pull the same consumer again within 24 hours, the cached report is returned instead of issuing a new upstream pull.
- Cached responses are identical in shape to fresh ones; the
filesURLs point at the original report. - Bypass rules: the cache expires 24 h after the original pull, and is bypassed automatically once the same consumer has been pulled three times within a 24-hour window — the next pull goes fresh upstream.
/phonere-pull. Theauth_tokenitself is a re-pull handle. POSTing the same token to/phone(nocodeneeded) returns the cached report tied to that token until the 24 h dedup window closes.
Retrieve a Report by ID
Every completed pull returns a files block containing
three ready-to-use URLs — one each for PDF, JSON, and HTML —
that download the same report in different formats.
The {id} segment is an opaque, encrypted identifier issued
by CPE. Use the URLs directly from the pull response's
files block — do not construct them
yourself. The encrypted URL itself is the access secret, so treat it
like any other sensitive credential.
Code | When |
|---|---|
400 | Missing or invalid id. |
404 | No matching report. |
400 | Report exists but the original pull was not successful. |
500 | PDF render or JSON parse failed. |
Retrieve a Report by profileid
Partners can hold a stable profileid for a
consumer (returned in every pull/phone response under
metadata.profileid) and use these URLs to fetch the
most recent successful credit pull without tracking
individual report IDs.
The profileid is a 32-character hex string that stays the
same across every pull for the same consumer, so this endpoint always
resolves to the freshest report without you tracking per-pull IDs.
Code | When |
|---|---|
400 | profileid missing or not 32 hex chars. |
404 | No successful pull found for this profile id. |
Response Schema
A successful pull returns one JSON object. Top-level fields:
| Field | Type | Description |
|---|---|---|
status | string | completed on a successful pull. Reflects the upstream outcome otherwise. |
reportStatus | object | Normalized hit code — { code, description }. See Glossary. |
reportDate | string | Date the report was produced (YYYY-MM-DD). |
consumer | object | Identity block. |
fraudIDScanAlertCodes | array | Normalized fraud / ID-scan alert codes with descriptions. |
addresses | array | Address history. |
employments | array | Employment records. |
creditScore | object | { scoring, factors, cpe_score? }. |
trades | array | Tradelines (accounts) on the file. |
bankruptcies | array | Public-record bankruptcies. |
collections | array | Collection accounts. |
inquiries | array | Credit inquiries. |
creditors | array | Creditor contact directory. |
files | object | { pdf, json, html } download URLs. |
metadata | object | { generatedat, agentid, orgid, path, report_filters, profileid }. |
trades[] fields
| Field | Description |
|---|---|
customerName / customerNumber | Furnisher name and reference number. |
monthsReviewed | Months of payment history furnished. |
accountDesignator | { code, description } — see Account Designators. |
| dates | dateReported, dateOpened, dateClosed, lastPaymentDate, lastActivityDate. |
| money fields | highCredit, creditLimit, balance, actualPaymentAmount, scheduledPaymentAmount, pastDueAmount. |
portfolioTypeCode | { code, description } — see Portfolio Types. |
rate | { code, description } — see Rate Codes. |
narrativeCodes | Array of { code, codeabv, description, dispute? }. Dispute narratives are auto-tagged. |
accountTypeCode | { code, description } — see Account Type Codes. |
paymentHistory | Month-by-month timeline (most recent first), [{ month, code, description, late_days? }]. |
Dispute tagging. When a tradeline carries a
DISPUTE narrative, the entry is tagged in-place with a dispute
key naming the state (Active, Pending,
Litigation, …). See
Dispute Narrative States.
CPE Score Forecast
The CPE Score Forecast is a proprietary predicted
credit score (model cpe-heuristic-v4-v1) derived from the
normalized CPE Credit Report. When your organization is entitled, the
response includes a cpe_score block under
creditScore. Non-entitled orgs see neither key.
| Field | Type | Description |
|---|---|---|
forecast | number | Predicted score, 300–850. |
confidence_interval | [number, number] | Lower and upper bound around the forecast. |
scorecard | number | Stratification bucket, 1–7. |
tier | string | Risk tier: prime, near_prime, or subprime. |
top_negative_factors | string[] | Up to three key factors holding the score down. |
model | string | Algorithm version identifier (cpe-heuristic-v4-v1). |
disclaimer | string | Required legal text — surface this when displaying the score. |
computed_at | string | ISO-8601 timestamp of the calculation. |
Scorecard buckets
| Value | Meaning |
|---|---|
1 | No scorable trade |
2 | Dormant trades |
3 | Thin and young |
4 | Thick — highest risk |
5 | Thick — higher risk |
6 | Thick — lower risk |
7 | Thick — lowest risk |
The CPE Score Forecast is a proprietary estimate, not
an official VantageScore or FICO product. Always surface the
disclaimer string when displaying it.
Report Filters
Each org can be configured to surface only certain tradeline
categories. When a filter set is configured, the API restricts
trades[] to matching accounts only. When no filter is
configured, the full report is returned. Filters are set on your
organization by your CPE account manager. The active filter set is
echoed in metadata.report_filters.
| Key | Label |
|---|---|
creditcards | Credit Cards |
mortgage | Mortgages |
home_equity | Home Equity |
auto | Auto Loans |
student_loans | Student / Education Loans |
personal_loans | Personal Loans |
lines_of_credit | Lines of Credit |
revolving | Revolving (all) |
installment | Installment (all) |
collections_trades | Collection Trades |
medical | Medical |
unsecured | Unsecured Accounts |
secured | Secured Accounts |
Error Responses
| Shape | When |
|---|---|
{ "code": 401, "msg": "Unauthorized: Api Invalid" } | Missing/bad apikey. |
{ "code": 402, "error": "Missing Parameters", "message": [...] } | Required fields absent or malformed for the resolved mode. |
{ "code": 402, "error": "Missing Parameters", "message": ["Credit report request failed: ..."] } | Upstream pull failed. The underlying reason is surfaced in the message. |
{ "code": 401, "error": "MemberNumber Missing", ... } | Your organization is not fully provisioned for live pulls. Contact your account manager. |
{ "code": 403, "error": "..." } | Phone-flow auth errors (see Phone Method). |
{ "Code": 4xx/5xx, "Message": "...", ... } | /getreport/* and /getprofile/* errors (note the capitalized envelope). |
Always read the message array on a 402 — it names exactly which field to fix.