API Reference

Credit Reports

Every endpoint that produces a report returns the same vendor-neutral CPE Credit Report shape. Code against it once and never think about which upstream source serviced the request.

About Credit Reports

A CPE Credit Report is a single, stable, vendor-neutral JSON document describing a consumer's credit profile. CPE aggregates and normalizes consumer credit data from multiple upstream sources — including national credit bureaus — into one consistent shape. The same shape is returned by /pull, /phone, /getreport/json/{id}, and /getprofile/json/{profileid}.

A pull is the act of:

  1. Authenticating the caller (apikey).
  2. Resolving the caller's organization and entitlements.
  3. Routing the request to the appropriate upstream source(s) based on the inputs you provided.
  4. Normalizing the source response(s) into the CPE Credit Report schema.
  5. Optionally attaching the CPE Score Forecast (when your organization is entitled).
  6. Filtering tradelines by your organization's configured categories (when set).
  7. Persisting the normalized report and generating shareable PDF / JSON / HTML URLs.
  8. Returning the result.

Pull a Credit Report

POST /pull

Send the applicant's identity fields. The minimum required set is fname, lname, dob, city, and state — every other field, including ssn and address, is optional. CPE picks the optimal upstream request automatically based on what you provide.

Parameters

FieldTypeRequiredDescription
apikeystringrequiredYour organization's API key.
fnamestringrequiredConsumer's first name.
lnamestringrequiredConsumer's last name.
dobstringrequiredDate of birth. Accepts YYYY-MM-DD, MM/DD/YYYY, or MMDDYYYY.
citystringrequiredCity.
statestringrequiredTwo-letter state code.
ssnstringoptional9-digit SSN. Non-digit characters stripped; X mask chars preserved for partial-SSN pulls.
addressstringoptionalStreet address.
zipstringoptionalZIP code.
ssn_last4stringoptionalLast 4 SSN digits. Kept on the pull record for your reconciliation; never used as a match key.
phonestringoptionalConsumer phone. Stored on the pull record.
callbackstringoptionalJSONP callback function name.
💡

Tip. Always send everything you have. CPE never penalizes you for sending an extra field — more data simply means a higher-confidence match.

How CPE uses your inputs

CPE inspects your inputs and automatically routes the request through the strongest-match path within its upstream data network. There is no setting to flip on your side — the routing happens server-side:

  • When an SSN is present, CPE uses the SSN as the primary match anchor.
  • When there is no SSN but a street address is present, CPE uses the address as the match anchor.
  • When only name + DOB + city/state are present, CPE matches on identity alone — the narrowest match window, but valid; it may return a thin file (reportStatus.code = "8").

The internal path that ran is echoed back in metadata.path for debugging / observability — it is not a value you set on the request.

Required fields at a glance

FieldRequired?
fname, lname, dob, city, stateAlways. This is the minimum viable pull.
ssnOptional. Sending it produces the highest-confidence match.
address, zipOptional. Sending them strengthens the match when SSN is absent.

If any of the five minimum fields are missing, the request returns 402 Missing Parameters naming the missing fields.

Phone (Mobile) Method

Pull a credit report when all you have is the consumer's phone number and date of birth. Two endpoints, both under /phone. The general-purpose /pull endpoint is untouched — phone-driven pulls live entirely under /phone.

Step 1 — Authorize

POST /phone/authorize

Resolve the phone via the CPE phone-identity lookup, audit the lookup, SMS a 4-digit code to the consumer, and return an opaque auth_token.

FieldTypeRequiredDescription
apikeystringrequiredYour organization's API key.
phonestringrequired10-digit US phone number (non-digits stripped, no +1 needed).
dobstringrequiredConsumer DOB. Stashed for the pull — it is the primary match discriminator.
zipstringoptional5-digit ZIP. Cross-checked against the looked-up address; result is reported but never blocks the flow.
testbooleanoptionalSandbox only. true/1/yes swaps the lookup for a fixed sandbox test consumer (XWKDAAZC IQTPE / CHESTER, TX). SMS still goes to the phone you provided. Silently ignored in production.

Authorize response fields

FieldTypeDescription
auth_tokenstringOpaque encrypted token. Pass to /phone in step 2.
expires_innumberSeconds the token+code remain valid (default 600 = 10 min).
zip_matchboolean | nulltrue/false when you supplied a zip; null otherwise. Informational only.
test_modebooleantrue when a built-in test-phone shortcut was hit.
debugobjectSandbox only. Diagnostics block. Absent in production.
debug_codestringSandbox + skip-SMS only. Legacy alias for debug.code.

Sandbox test-phone shortcuts.

5615551234 — no phone-identity lookup, no SMS dispatch, fixed sandbox identity XWKDAAZC IQTPE / CHESTER, TX 75936, DOB forced to 07/14/1985, debug_code returned in the response. Ideal for fully automated tests.

test=true flag — any phone, real SMS to your number, fixed sandbox test-consumer identity. DOB overridden to 07/14/1985 so the pull returns a real test report. Ideal for end-to-end SMS-delivery testing.

Step 2 — Pull

POST /phone

Consume the token (verify the code, or accept a webhook-confirmed status) and pull the credit report.

FieldTypeRequiredDescription
apikeystringrequiredYour organization's API key.
auth_tokenstringrequiredToken from /phone/authorize.
codestringconditional4-digit SMS code. Required unless the consumer already authorized via SMS reply (YES/Y/OK/CONFIRM), in which case the token is already confirmed and code may be omitted.

You do not send dob, fname, lname, city, state, address, ssn, or zip — they were captured at /phone/authorize and ride along with the token. The token is bound to the identity captured at authorization time, so re-authorizing the same phone with a different identity cannot poison an earlier token.

Response. Identical shape to every other pull response (see Response Schema). The only phone-specific field is metadata.path = "phone".

Phone-flow errors

HTTP / codeEndpointCause
401bothapikey missing or unrecognized.
402 Missing Parameters/phone/authorizephone not 10 digits, dob missing, or zip not 5 digits when provided.
402 Phone has no associated owner/phone/authorizeThe phone-identity lookup returned no owner.
402 SMS dispatch failed/phone/authorizeThe SMS gateway rejected the send.
402 Phone lookup failed/phone/authorizeThe phone-identity lookup was unreachable or errored. Retry safely — no state changed.
403 auth_token is required/phoneauth_token missing.
403 Invalid or expired authorization token/phoneToken doesn't decode, doesn't exist, or belongs to a different org.
403 That code is incorrect or has expired/phonecode didn't match the row's pending code.
403 Authorization has expired/phone10-minute TTL elapsed. Re-call /phone/authorize.
403 A verification code is required/phoneToken still pending (no SMS YES reply) and code not supplied.

Repull & Caching

CPE deduplicates pulls to avoid double-charging:

  • Each pull is fingerprinted by the consumer's stable profileid — a one-way identifier derived from name + DOB + city/state. SSN is intentionally excluded so the same consumer dedupes across SSN-bearing and SSN-less pulls.
  • If you pull the same consumer again within 24 hours, the cached report is returned instead of issuing a new upstream pull.
  • Cached responses are identical in shape to fresh ones; the files URLs point at the original report.
  • Bypass rules: the cache expires 24 h after the original pull, and is bypassed automatically once the same consumer has been pulled three times within a 24-hour window — the next pull goes fresh upstream.
  • /phone re-pull. The auth_token itself is a re-pull handle. POSTing the same token to /phone (no code needed) returns the cached report tied to that token until the 24 h dedup window closes.

Retrieve a Report by ID

Every completed pull returns a files block containing three ready-to-use URLs — one each for PDF, JSON, and HTML — that download the same report in different formats.

GET/getreport/pdf/{id}
GET/getreport/json/{id}
GET/getreport/html/{id}

The {id} segment is an opaque, encrypted identifier issued by CPE. Use the URLs directly from the pull response's files block — do not construct them yourself. The encrypted URL itself is the access secret, so treat it like any other sensitive credential.

CodeWhen
400Missing or invalid id.
404No matching report.
400Report exists but the original pull was not successful.
500PDF render or JSON parse failed.

Retrieve a Report by profileid

Partners can hold a stable profileid for a consumer (returned in every pull/phone response under metadata.profileid) and use these URLs to fetch the most recent successful credit pull without tracking individual report IDs.

GET/getprofile/pdf/{profileid}
GET/getprofile/json/{profileid}
GET/getprofile/html/{profileid}

The profileid is a 32-character hex string that stays the same across every pull for the same consumer, so this endpoint always resolves to the freshest report without you tracking per-pull IDs.

CodeWhen
400profileid missing or not 32 hex chars.
404No successful pull found for this profile id.

Response Schema

A successful pull returns one JSON object. Top-level fields:

FieldTypeDescription
statusstringcompleted on a successful pull. Reflects the upstream outcome otherwise.
reportStatusobjectNormalized hit code — { code, description }. See Glossary.
reportDatestringDate the report was produced (YYYY-MM-DD).
consumerobjectIdentity block.
fraudIDScanAlertCodesarrayNormalized fraud / ID-scan alert codes with descriptions.
addressesarrayAddress history.
employmentsarrayEmployment records.
creditScoreobject{ scoring, factors, cpe_score? }.
tradesarrayTradelines (accounts) on the file.
bankruptciesarrayPublic-record bankruptcies.
collectionsarrayCollection accounts.
inquiriesarrayCredit inquiries.
creditorsarrayCreditor contact directory.
filesobject{ pdf, json, html } download URLs.
metadataobject{ generatedat, agentid, orgid, path, report_filters, profileid }.

trades[] fields

FieldDescription
customerName / customerNumberFurnisher name and reference number.
monthsReviewedMonths of payment history furnished.
accountDesignator{ code, description } — see Account Designators.
datesdateReported, dateOpened, dateClosed, lastPaymentDate, lastActivityDate.
money fieldshighCredit, creditLimit, balance, actualPaymentAmount, scheduledPaymentAmount, pastDueAmount.
portfolioTypeCode{ code, description } — see Portfolio Types.
rate{ code, description } — see Rate Codes.
narrativeCodesArray of { code, codeabv, description, dispute? }. Dispute narratives are auto-tagged.
accountTypeCode{ code, description } — see Account Type Codes.
paymentHistoryMonth-by-month timeline (most recent first), [{ month, code, description, late_days? }].

Dispute tagging. When a tradeline carries a DISPUTE narrative, the entry is tagged in-place with a dispute key naming the state (Active, Pending, Litigation, …). See Dispute Narrative States.

CPE Score Forecast

The CPE Score Forecast is a proprietary predicted credit score (model cpe-heuristic-v4-v1) derived from the normalized CPE Credit Report. When your organization is entitled, the response includes a cpe_score block under creditScore. Non-entitled orgs see neither key.

FieldTypeDescription
forecastnumberPredicted score, 300–850.
confidence_interval[number, number]Lower and upper bound around the forecast.
scorecardnumberStratification bucket, 17.
tierstringRisk tier: prime, near_prime, or subprime.
top_negative_factorsstring[]Up to three key factors holding the score down.
modelstringAlgorithm version identifier (cpe-heuristic-v4-v1).
disclaimerstringRequired legal text — surface this when displaying the score.
computed_atstringISO-8601 timestamp of the calculation.

Scorecard buckets

ValueMeaning
1No scorable trade
2Dormant trades
3Thin and young
4Thick — highest risk
5Thick — higher risk
6Thick — lower risk
7Thick — lowest risk

The CPE Score Forecast is a proprietary estimate, not an official VantageScore or FICO product. Always surface the disclaimer string when displaying it.

Report Filters

Each org can be configured to surface only certain tradeline categories. When a filter set is configured, the API restricts trades[] to matching accounts only. When no filter is configured, the full report is returned. Filters are set on your organization by your CPE account manager. The active filter set is echoed in metadata.report_filters.

KeyLabel
creditcardsCredit Cards
mortgageMortgages
home_equityHome Equity
autoAuto Loans
student_loansStudent / Education Loans
personal_loansPersonal Loans
lines_of_creditLines of Credit
revolvingRevolving (all)
installmentInstallment (all)
collections_tradesCollection Trades
medicalMedical
unsecuredUnsecured Accounts
securedSecured Accounts

Error Responses

ShapeWhen
{ "code": 401, "msg": "Unauthorized: Api Invalid" }Missing/bad apikey.
{ "code": 402, "error": "Missing Parameters", "message": [...] }Required fields absent or malformed for the resolved mode.
{ "code": 402, "error": "Missing Parameters", "message": ["Credit report request failed: ..."] }Upstream pull failed. The underlying reason is surfaced in the message.
{ "code": 401, "error": "MemberNumber Missing", ... }Your organization is not fully provisioned for live pulls. Contact your account manager.
{ "code": 403, "error": "..." }Phone-flow auth errors (see Phone Method).
{ "Code": 4xx/5xx, "Message": "...", ... }/getreport/* and /getprofile/* errors (note the capitalized envelope).

Always read the message array on a 402 — it names exactly which field to fix.