MFI API

MFI Suite exposes every member, loan, savings, and ledger operation through versioned APIs. Integrations can use REST (modern, OpenAPI-described), JSON-RPC (BridgeERP-native), webhooks for events, and official SDKs in Python, Node.js, Java, and Go.

API settings
API keys + webhooks under Configuration → API / Integrations.
At a glance — Authentication: OAuth 2.0 client credentials, API keys, or session cookies. Rate limit: 60 req/sec per API key default, increased on request. SLA: 99.9% monthly. Versioning: /v1, /v2 path-prefixed with two-version forward compatibility.

API surface area

Three primary surfaces serve different integration patterns.

SurfaceUse caseFormatAuth
REST /api/v1/Modern third-party integrationsJSON over HTTPSOAuth 2.0 / API key
JSON-RPC /jsonrpcBridgeERP-to-BridgeERP, internal toolsJSON-RPC 2.0Session / API key
Webhooks /webhooks/Event pushJSON signed HMAC-SHA256HMAC signature verification
XML-RPC /xmlrpc/2/Legacy BridgeERP clientsXML-RPCAPI key

Authentication

Modern integrations should use OAuth 2.0 client credentials. API keys remain supported for server-to-server scripts and trusted internal automation. Avoid embedding user credentials.

# OAuth 2.0 client credentials
curl -X POST https://microfinance.mybridgeerp.com/oauth/token \
  -d 'grant_type=client_credentials' \
  -d 'client_id=svc_kcb_disbursement' \
  -d 'client_secret=<secret>' \
  -d 'scope=loans:read disbursements:write'

# Response
# {"access_token":"eyJ...","expires_in":3600,"token_type":"Bearer"}

Rate limiting

Default rate limits protect tenant performance. Limits are per API key.

  • 60 requests/second sustained, 120 burst
  • Webhook delivery retries: 3 attempts with exponential backoff (1m, 5m, 30m)
  • Bulk endpoints (e.g. /loans/bulk) counted as N requests where N = batch size
  • Rate-limit response: HTTP 429 with Retry-After header

Versioning and deprecation

All REST endpoints are path-versioned (/v1/, /v2/). Two major versions are supported in parallel. Deprecation cycle: 6-month notice before sunsetting a version, with Deprecation and Sunset HTTP headers from the deprecation date.

Warning — JSON-RPC and XML-RPC are not versioned — they expose BridgeERP model methods directly. Tenant module upgrades CAN change method signatures. Subscribe to release notes and pin the SDK version that matches your tenant.

Common objects

All surfaces expose the same data model. Names match BridgeERP model names exactly.

  • mfi.member — natural persons and groups
  • mfi.loan — credit facilities
  • mfi.loan.schedule — repayment schedule lines
  • mfi.loan.disbursement — disbursement events
  • mfi.savings.account — savings accounts
  • mfi.savings.transaction — savings book entries
  • mfi.mobile.money.transaction — mobile money pulls/pushes
  • mfi.aml.alert — AML monitoring alerts

Reference

OAuth scopes

ScopeDescription
members:readRead member profiles and KYC
members:writeCreate / update members
loans:readRead loans and schedules
loans:writeCreate loans, modify status
disbursements:writeTrigger disbursement events
repayments:writePost repayments
savings:readRead savings accounts and transactions
savings:writeCreate accounts, post deposits/withdrawals
aml:readRead AML alerts
regulatory:readRead regulatory returns
webhooks:manageCreate and configure webhooks

Troubleshooting

SymptomLikely causeFix
401 Unauthorized despite valid token.Token expired (default 1h).Refresh via client credentials grant; consider caching token until 5m before expiry.
429 Too Many Requests under low traffic.Another client sharing the same API key.Issue separate API keys per consumer; check key usage at Settings > API > Keys.
POST to /loans returns 500 with 'access denied'.OAuth scope granted but user mapped to the key lacks loan officer role.Open Settings > Users, find the technical user for the API key, add Loan Officer role.

See also

Was this page helpful?