Sulfah سلفة API integration & OpenBanking export

OpenData · OpenFinance · OpenBanking · Protocol analysis

Connect Sulfah loan data to your accounting, risk and BI stack — under SAMA-aligned controls

Sulfah (سلفة) is a SAMA-permitted consumer micro-lending app in Saudi Arabia that issues short-term financing from SAR 1,000 to SAR 25,000 over 3 to 18 months, with AI/ML underwriting that can deposit funds to a customer bank account within minutes. That workflow produces structured, server-side records — exactly the kind of data an OpenData / OpenFinance integration is built to expose.

Loan application & offer data — Requested amount, tenure, APR, processing fee, VAT and the generated repayment schedule, pulled per user for reconciliation and reporting.

Repayment & installment ledger — Due dates, monthly installment amounts, paid/late/outstanding status and settlement events for collections dashboards and cash-flow forecasting.

Contract & disclosure documents — The accepted loan contract, terms & conditions and SAMA-mandated APR disclosure, exportable as PDF/JSON for audit trails.

Account login & profile — Mirror the app authorization flow (OTP / token validation) to bind a user, refresh a session and read the personalized credit profile fields the app maintains.

Why Sulfah data is worth integrating

Sulfah was one of the first companies admitted to the Saudi Central Bank (SAMA) regulatory sandbox for consumable micro-lending, and it is repeatedly cited as a key player in the Kingdom's fintech lending landscape — including in the Saudi Arabia Fintech Market 2024–2029 research that lists it alongside Lendo, SURE and Foodics. Because every financing journey runs through the app and a regulated backend, the data is consistent and machine-readable: amounts, tenures, APRs, fee breakdowns, installment calendars, and contract acceptance timestamps.

For a borrower-side or partner-side integrator, that means a Sulfah API integration can replace manual screenshotting and PDF downloads with a clean feed of obligations and payments. Accounting teams get liability schedules; risk and treasury teams get exposure and DBR (debt-burden ratio) inputs; compliance teams get an immutable record of the APR disclosure and contract acceptance that SAMA's Responsible Lending Principles require lenders to keep.

The wider context matters too. Saudi Arabia launched its Open Banking Framework in November 2022, added the "View My Bank Accounts" service in May 2024, issued a major Payment Initiation Services (PIS) update in September 2024, and in 2026 moved open banking from the sandbox into a formal licensing regime. Designing a Sulfah integration in that idiom — consent-driven, FAPI-style security, account-information and payment-initiation patterns — keeps it forward-compatible with the Kingdom's OpenFinance direction under Vision 2030's Financial Sector Development Program.

What we deliver

Deliverables checklist

API specification (OpenAPI / Swagger) for login, loans, repayments and documents
Protocol & auth-flow report: OTP login, token/cookie chain, request signing, pagination
Runnable source for the login and statement/repayment APIs (Python and Node.js)
Webhook receiver samples for disbursement and installment-due events
Automated tests, Postman/Insomnia collection and a written API guide
Compliance notes: SAMA Open Banking alignment, Responsible Lending, SIMAH reporting, PDPL retention

Engagement models

Source code delivery from $300 — we hand over runnable API source code plus documentation; you pay after delivery once you are satisfied.
Pay-per-call hosted API — call our managed endpoints and pay only for the requests you make, with no upfront fee; suited to teams that prefer usage-based pricing.
NDA and data-processing addendum available on request.
Optional maintenance retainer for protocol changes and app updates.

Data available for integration (OpenData perspective)

The table below maps the data a Sulfah integration can expose to the screen or feature it originates from, its granularity, and a typical downstream use. Field names are illustrative; exact shapes are confirmed during protocol analysis.

Data type	Source screen / feature	Granularity	Typical use
Account & identity profile	Login / registration, profile	Per user (national ID reference, phone, KYC status)	User binding, identity matching, onboarding checks
Eligibility & credit profile	"Apply" flow, personalized profile	Per user (limit, risk band, DBR inputs)	Pre-qualification, affordability and risk scoring
Loan application & offer	Amount & tenure selection screen	Per application (amount, term 3–18m, APR, fee, VAT)	Pipeline tracking, reconciliation, pricing audit
Loan contract & disclosures	Contract review & acceptance screen	Per contract (PDF, T&C version, acceptance timestamp)	Compliance evidence, dispute handling, archiving
Repayment schedule	Loan details / installments view	Per installment (due date, principal, profit, total)	Liability schedule, cash-flow forecasting
Payment & settlement events	Repayment history, notifications	Per transaction (paid, late, early settlement, fee)	Collections dashboards, late-payment analytics
Disbursement records	Approval / funding confirmation	Per disbursement (amount, IBAN reference, timestamp)	Bank-statement matching, treasury reconciliation

Typical integration scenarios

1. Borrower obligation sync into accounting/ERP

Context: an SME or individual using Sulfah financing wants the outstanding balance and installment calendar to appear automatically in their bookkeeping tool. Data/API: GET /loans/{id}/schedule plus GET /loans/{id}/payments. OpenData mapping: behaves like an Account Information Service feed — read-only, consent-scoped account and transaction data — so it slots into the same connector model used for SAMA Open Banking AIS.

2. Credit-exposure & affordability dashboard

Context: a lender, employer benefits program or PFM app needs a consolidated view of a user's short-term obligations. Data/API: credit-profile read endpoint plus active-loan list with APR and remaining tenure. OpenFinance mapping: the DBR-relevant fields feed an affordability calculation consistent with the Responsible Lending Principles, and can be merged with bank-account data pulled via open banking.

3. Compliance & audit archive

Context: a regulated entity must retain APR disclosures and signed contracts. Data/API: GET /loans/{id}/contract returning the PDF and the accepted T&C version and timestamp. OpenData mapping: document-export endpoint with immutable identifiers, suitable for a WORM archive and SIMAH-aligned record-keeping.

4. Collections & late-payment analytics

Context: an operations team wants near-real-time visibility of installments coming due and going late. Data/API: webhook events installment.due, payment.received, loan.settled. OpenFinance mapping: event-driven push that mirrors payment-status notifications, so downstream systems never poll blindly.

5. Onboarding pre-fill via account login

Context: a partner wants returning users to authorize once and reuse their verified profile. Data/API: OTP login flow, token refresh, then GET /me. OpenData mapping: a consent-and-token handshake equivalent to an authorization-code grant, with scopes limited to profile and loan-read.

Technical implementation

Below are illustrative request/response snippets showing the auth handshake, a statement-style read, and a webhook payload. Endpoint names are placeholders; the protocol report delivered with the project documents the real paths, headers and signing scheme.

A. Account login (OTP exchange)

POST /api/v1/sulfah/auth/login
Content-Type: application/json

{
  "msisdn": "+9665XXXXXXXX",
  "otp": "482913",
  "device_id": "a1b2c3d4"
}

200 OK
{
  "access_token": "eyJhbGciOi...",
  "refresh_token": "rt_9f2c...",
  "expires_in": 3600,
  "user_id": "usr_18347"
}

B. Repayment schedule (statement-style read)

GET /api/v1/sulfah/loans/LN-20251130/schedule
Authorization: Bearer <ACCESS_TOKEN>

200 OK
{
  "loan_id": "LN-20251130",
  "principal": 20000.00,
  "currency": "SAR",
  "tenure_months": 18,
  "apr": 75.32,
  "processing_fee": 200.00,
  "vat_on_fee": 30.00,
  "total_repayment": 29990.00,
  "installments": [
    {"no": 1, "due_date": "2026-01-01", "amount": 1666.11, "status": "paid"},
    {"no": 2, "due_date": "2026-02-01", "amount": 1666.11, "status": "due"}
  ]
}

C. Webhook: installment due / payment received

POST https://your-app.example/webhooks/sulfah
X-Sulfah-Signature: sha256=7b1d...
Content-Type: application/json

{
  "event": "payment.received",
  "loan_id": "LN-20251130",
  "installment_no": 1,
  "amount": 1666.11,
  "paid_at": "2026-01-01T08:12:44Z"
}

// Respond 2xx within 5s, otherwise the event is retried
// with exponential backoff (verify the HMAC before processing)

D. Error handling & pagination

GET /api/v1/sulfah/loans?status=active&page=2&page_size=50
Authorization: Bearer <ACCESS_TOKEN>

401 { "error": "token_expired", "hint": "refresh and retry" }
429 { "error": "rate_limited", "retry_after": 30 }
200 {
  "page": 2, "page_size": 50, "total": 73,
  "items": [ /* ... */ ]
}

Data flow / architecture

A minimal pipeline looks like this: Sulfah app / authorized API → Ingestion service (token management, retries, HMAC verification) → Normalized storage (loans, installments, payments, documents tables) → Output layer (your REST API, scheduled Excel/CSV exports, or a BI/warehouse sync). Webhooks feed the ingestion service for near-real-time events; a nightly reconciliation job back-fills anything missed.

Compliance & privacy

Sulfah operates under the supervision of the Saudi Central Bank (SAMA), which permitted it as a fintech startup for consumable micro-lending. Any integration we build is scoped to data the user is entitled to and is delivered with guidance on the controls that apply in the Kingdom:

SAMA Open Banking Framework — we follow its consent model and FAPI-aligned security profile (mutual TLS, signed requests, scoped access tokens) so the integration matches the direction SAMA set in 2022–2026.
Responsible Lending Principles for Individual Customers — the APR ceiling (max 89.59% for Sulfah products), affordability/DBR checks, and disclosure-before-contract requirements are reflected in how application and contract data are surfaced and retained.
Regulations for Consumer Financing — fee, profit and total-cost fields are exposed exactly as disclosed, never re-derived.
SIMAH (Saudi Credit Bureau) — record-keeping and identifiers are kept compatible with credit-reporting expectations.
Saudi Personal Data Protection Law (PDPL) — data minimization, purpose limitation, consent logging, encryption at rest/in transit, and a defined retention window.

We work only under customer authorization or with documented, authorized APIs; we do not bypass security controls, and we will sign an NDA and a data-processing agreement where required.

Market positioning & user profile

Sulfah is a B2C consumer-lending product focused on Saudi Arabia, serving salaried residents and expatriates who need small, short-term financing (SAR 1,000–25,000, 3–18 months) faster than a traditional bank branch — the app's AI/ML underwriting targets disbursement to the customer's bank account within minutes. Its users skew mobile-first on Android and iOS, and the company is positioned within the Kingdom's Shariah-compliant micro-finance segment alongside the Vision 2030 fintech push. Integrators on this page are typically accounting/ERP vendors, PFM and budgeting apps, employer financial-wellness programs, and risk/compliance teams that need a programmatic feed of borrower obligations rather than manual statements.

Screenshots

App screenshots from the Google Play listing. Click any thumbnail to enlarge.

Similar apps & integration landscape

Teams that integrate Sulfah data often work across several Saudi consumer-finance apps at once. The names below are part of the broader ecosystem we routinely see referenced; listing them here helps anyone researching these products find a consistent approach to data integration. We do not rank or critique them.

Quara Finance — Shariah-compliant personal financing app offering larger limits and multi-year tenures; users frequently want a unified obligation export across Quara and Sulfah.
Tamam Finance — fully digital micro-finance focused on financial inclusion; holds application, contract and installment data similar in shape to Sulfah's.
Tasheel Finance — consumer financing through electronic channels; statement and repayment-schedule sync is the common integration request.
Nayifat (Nayifat Instalment) — long-standing instalment finance provider; account login and loan-status reads map cleanly to the same connector model.
Emkan Finance — digital consumer lending and BNPL; disbursement and installment events are typical webhook targets.
Madfu — buy-now-pay-later app; order-level repayment schedules are the equivalent of Sulfah's installment ledger for reconciliation.
Arib — personal financing with flexible tenures; users consolidating obligations want APR and remaining-balance fields normalized alongside Sulfah's.
Alraedah Finance — SME and consumer financing; contract-document export and audit archiving overlap with the compliance scenario above.
Lendo — invoice-financing and crowdlending platform cited alongside Sulfah in Saudi fintech market reports; relevant when a partner aggregates multiple credit products.
Tabby — widely used BNPL across the GCC; transaction and installment exports complement Sulfah's data for a full short-term-credit picture.

About us

We are an independent technical studio focused on fintech and open-data API integration. Our engineers come from banking, payment gateways, protocol analysis and cloud backgrounds, and we ship end-to-end financial APIs under security and compliance constraints.

Consumer lending, digital banking, BNPL and cross-border clearing integrations
Enterprise API gateways, webhook pipelines and security reviews
Custom Python / Node.js / Go SDKs and automated test harnesses
Full pipeline: protocol analysis → build → validation → compliance hand-off
Source code delivery from $300 — runnable API source and full documentation; pay after delivery upon satisfaction
Pay-per-call hosted API — usage-based pricing, no upfront cost

Contact

To request a quote or submit your target app and requirements, open our contact page:

Contact page

Tell us which Sulfah data you need (loan status, repayment schedule, contract PDF, account login) and the destination system.

Engagement workflow

Scope confirmation: integration scenarios and API needs (login, loans, repayments, documents, webhooks).
Protocol analysis and API design (2–5 business days, complexity-dependent).
Build and internal validation (3–8 business days).
Documentation, samples and test cases (1–2 business days).
Typical first delivery: 5–15 business days; third-party or sandbox approvals may extend timelines.

FAQ

What do you need from me to start a Sulfah integration?

The target app name (Sulfah / سلفة, already provided), the concrete data or flows you need (e.g. loan application status, repayment schedule, contract PDF, account login), the destination system (ERP, BI dashboard, accounting tool), and any sandbox or authorized partner credentials you already hold.

How long does a first Sulfah API delivery take?

Usually 5 to 15 business days for a first API drop with documentation and tests. Flows that depend on third-party approvals, SAMA Open Banking sandbox onboarding, or KYC providers can extend the timeline.

Is this compliant with Saudi Central Bank (SAMA) rules?

We only work with customer authorization or documented, authorized APIs. We align with the SAMA Open Banking Framework security profile, the Responsible Lending Principles for Individual Customers, SIMAH credit-reporting expectations and the Saudi Personal Data Protection Law (PDPL), and we provide consent logging and data-minimization guidance.

Can you deliver source code instead of a hosted API?

Yes. Source code delivery starts from $300: you receive runnable Python or Node.js code plus documentation and pay after delivery upon satisfaction. Alternatively you can use our hosted endpoints and pay per call with no upfront fee.

📱 Original app overview — Sulfah (سلفة) (appendix)

Sulfah Company is a consumer-lending mobile app operating in Saudi Arabia, approved by the Saudi Central Bank (SAMA) to offer small and short-term loans. It is widely described as the first fintech firm regulated by SAMA to provide small, quick financing through a mobile app, using AI/ML to accelerate underwriting and deposit funds to the customer's bank account within minutes.

Loan size & term: from SAR 1,000 up to SAR 25,000; customers choose the amount and a payback period from 3 months up to 18 months.
Transparency: users can view the terms and conditions before applying, and must review and accept the loan contract — with all terms, conditions and loan details — before the request proceeds; all of it under SAMA supervision.
Pricing: the annual percentage rate (APR) — maximum 89.59% — expresses the actual cost of funds over the loan term.
Loan example: borrowing SAR 20,000 over 18 months — processing fee (1%) SAR 200, VAT on the fee (15%) SAR 30, APR 75.32%, total interest SAR 9,990, monthly installment SAR 1,666.11, total repayment SAR 29,990.
References: loan pricing page, terms of use page, and the Google Play listing for com.sulfah.

This appendix summarizes the original app for context only. The integration services described above are provided by OpenFinance Lab, an independent studio, and are not affiliated with or endorsed by Sulfah Company.