Crif Credit Score

Endpoint Overview

POST /api/v1/credit-report-crif/score

Description

The CRIF Credit Report Score API provides instant access to credit scores powered by CRIF High Mark, a leading Credit Information Company in India and part of the global CRIF Group. This endpoint enables businesses to retrieve comprehensive credit scores for individuals using their PAN (Permanent Account Number), supporting informed credit decisions with data from one of India's fastest-growing credit bureaus.

CRIF High Mark specializes in serving the microfinance, NBFC, and emerging credit sectors, offering unique insights into credit behavior across diverse customer segments. With credit scores ranging from 300 to 900, CRIF provides reliable creditworthiness assessments that complement traditional bureau data. This API offers a streamlined integration path to access CRIF's specialized credit intelligence while maintaining full compliance with regulatory standards and user consent requirements.

Key Benefits

Specialized Market Focus: Access credit intelligence from CRIF High Mark, which specializes in microfinance, NBFC, and underserved credit segments

Name Flexibility: Accepts separate first name and last name fields for better name matching and data accuracy

Alternative Credit Data: Leverage CRIF's focus on alternative credit scoring for customers with limited traditional credit history

Global Expertise: Benefit from CRIF Group's international credit risk management experience adapted for the Indian market

Use Cases

Microfinance & NBFCs

Digital Lending & Fintech

Emerging Markets & Services

Microfinance Lending: Assess creditworthiness of micro-loan applicants in underserved segments using CRIF's specialized scoring models

NBFC Loan Origination: Streamline non-banking financial company loan approvals with credit scores tailored to NBFC portfolios

Small Business Loans: Evaluate small business owners and entrepreneurs for credit facilities using CRIF's SME-focused insights

Agricultural Finance: Support rural and agricultural lending decisions with credit data covering diverse geographic regions

Gold Loan Assessment: Complement collateral-based lending with credit score verification for gold loan products

Technical Implementation

Authentication

All API requests require authentication using a JWT Bearer token. Authentication follows these steps:

Obtain API Credentials: Register with Surepass to receive your API key.

Generate JWT Token: Use your API key to generate a JWT token.

Include in Requests: Add the token to the Authorization header as Bearer TOKEN.

Different authentication tokens are used for sandbox and production environments:

Sandbox: https://sandbox.surepass.app

Production: https://kyc-api.surepass.app

Request Parameters

Request Headers

Header	Required	Description
Authorization	Yes	Bearer token for authentication (Format: `Bearer YOUR_JWT_TOKEN`)
Content-Type	Yes	Must be set to `application/json`

Request Body

Parameter	Type	Required	Description
first_name	string	Yes	First name of the individual as per their PAN card
last_name	string	Yes	Last name (surname) of the individual as per their PAN card
mobile	string	Yes	10-digit mobile number of the individual
consent	string	Yes	User consent for credit check. Must be `Y` for yes
pan	string	Yes	Permanent Account Number (PAN) of the individual - 10 alphanumeric characters

Example Request

{
    "first_name": "Rajiv",
    "last_name": "Talwar",
    "mobile": "9999000900",
    "consent": "Y",
    "pan": "ABCPD1234F"
}

Process Response

Response Parameters

Parameter	Type	Description
data	object	Contains the CRIF credit report information
data.client_id	string	Unique identifier for the credit report request
data.first_name	string	First name of the individual as provided in the request
data.last_name	string	Last name of the individual as provided in the request
data.mobile	string	Mobile number of the individual as provided in the request
data.pan	string	PAN number used for the credit check
data.credit_score	string	CRIF credit score value (ranges from 300 to 900)
status_code	integer	HTTP status code of the response
success	boolean	Indicates whether the request was successful
message	string	Human-readable message about the request status
message_code	string	Machine-readable message code for the status

Example Successful Response

{
    "data": {
        "client_id": "crif_credit_score_twflvqKyzoihfnINpqux",
        "first_name": "Rajiv",
        "last_name": "Talwar",
        "mobile": "9999000900",
        "pan": "ABCPD1234F",
        "credit_score": "510"
    },
    "status_code": 200,
    "success": true,
    "message": "Success",
    "message_code": "success"
}

Possible Error Responses

Authentication Failed

Missing Required Fields

Consent Not Provided

{
    "status_code": 401,
    "success": false,
    "message": "Invalid or expired Bearer token",
    "message_code": "unauthorized"
}

This error occurs when the JWT Bearer token is missing, invalid, or expired. Generate a new token using your API credentials and retry the request.

Integration Best Practices

Security Recommendations

Bearer Token Management: Store JWT tokens securely in environment variables or secret management systems; implement automatic token refresh before expiration

Transport Security: Always use HTTPS endpoints for all API communications to ensure encrypted data transmission

PAN Encryption: Encrypt PAN numbers using AES-256 or equivalent standards both in storage and during transmission

Input Sanitization: Validate and sanitize all input parameters on the server side to prevent injection attacks and malformed requests

Access Control: Implement strict role-based access control limiting credit score access to authorized personnel and systems only

Audit Logging: Maintain comprehensive logs of all credit checks including requester identity, timestamp, purpose, and results for compliance

API Key Protection: Never expose API keys, JWT tokens, or credentials in client-side code, mobile applications, or public repositories

Data Minimization: Request and store only the minimum necessary credit information required for your business purpose

Secure Response Handling: Ensure credit score data is securely processed and stored with appropriate encryption and access controls

User Experience Guidelines

Name Field Clarity: Clearly label first name and last name fields in forms; provide examples (e.g., "First Name: Rajiv", "Last Name: Talwar")

Consent Transparency: Design clear consent flows explaining that CRIF credit checks will be recorded as inquiries on the user's credit report

Real-time Validation: Validate PAN format (ABCDE1234F pattern), mobile numbers, and name fields client-side before API submission

Progress Indicators: Display meaningful loading messages during the 2-5 second processing time (e.g., "Fetching your CRIF credit score...")

Name Matching Guidance: Inform users to enter their name exactly as it appears on their PAN card for successful matching

Error Recovery: Provide helpful error messages with clear next steps when validation fails (e.g., "Please check that your name matches your PAN card")

Score Context: Explain CRIF score ranges (300-900) and what different score bands mean for credit decisions

Privacy Communication: Clearly state how credit score data will be used, stored, and protected to build user trust

Mobile Optimization: Ensure forms work seamlessly on mobile devices with appropriate input types (text for names, numeric for mobile)

Alternative Options: For users with no CRIF credit history, provide information about alternative verification methods

Inquiry Impact Notice: Inform users that this credit check may appear on their credit report as an inquiry

Code Samples

cURL

Python

Node.js

Compliance and Legal Considerations

CRIF High Mark Compliance: This API operates in accordance with CRIF High Mark's terms of service and Credit Information Companies (Regulation) Act, 2005

Reserve Bank of India Regulations: Adheres to RBI guidelines governing credit information companies and fair credit reporting practices in India

Explicit Consent Mandatory: Indian law requires obtaining explicit, informed, and verifiable consent from individuals before accessing their credit information from any bureau

Digital Personal Data Protection Act, 2023: Comply with India's data protection regulations for collection, processing, storage, and sharing of personal credit data

Credit Inquiry Recording: Each CRIF credit check is recorded as an inquiry on the individual's credit report, which may impact future credit assessments

Inquiry Impact Management: Multiple credit inquiries within short timeframes can negatively affect credit scores; implement strategies to minimize unnecessary checks

Purpose Limitation: Credit information must be used exclusively for legitimate purposes such as credit evaluation, lending decisions, or risk management as authorized by law

Data Retention Requirements: Maintain comprehensive audit logs and credit check records for regulatory compliance, typically 3-5 years for financial transactions

Fair Lending Practices: Use CRIF scores as one component of a holistic, non-discriminatory credit evaluation process that considers multiple factors

PAN Data Protection: PAN is classified as sensitive personal information under IT Act, 2000; implement robust security measures to prevent unauthorized access

Name Accuracy: Ensure first name and last name match exactly with PAN records to maintain data accuracy and prevent fraudulent access

Consumer Rights: Inform users of their rights to access credit reports, dispute inaccuracies, understand score factors, and receive adverse action notices if declined

Vendor Agreement: Ensure your organization has valid agreements with both Surepass and CRIF High Mark with appropriate licenses for credit data access

Cross-Border Data: If operating across borders, ensure compliance with international data transfer regulations and obtain necessary approvals

Regulatory Reporting: Be prepared to report credit data access, usage patterns, and security incidents to regulatory authorities as required

Alternative Credit Data: When using CRIF for alternative credit scoring, ensure transparency about scoring methodology and factors considered

Provide your bearer token in the

Authorization

header when making requests to protected resources.

Example:

Authorization: Bearer ********************

curl --location --request POST 'https://kyc-api.surepass.app/api/v1/credit-report-crif/score' \ --header 'Authorization: Bearer <token>' \ --header 'Content-Type: application/json' \ --data-raw '{ "first_name": "Rajiv", "last_name": "Talwar", "mobile": "9999000900", "consent": "Y", "pan": "ABCPD1234F" }'

{ "data": { "client_id": "crif_credit_score_twflvqKyzoihfnINpqux", "first_name": "Rajiv", "last_name": "Talwar", "mobile": "9999000900", "pan": "ABCPD1234F", "credit_score": "510" }, "status_code": 200, "success": true, "message": "Success", "message_code": "success" }

Description#

Use Cases#

Technical Implementation#

Request Headers#

Request Body#

Example Request#

Response Parameters#

Example Successful Response#

Possible Error Responses#

Integration Best Practices#

Code Samples#

Request

Responses