# Provision Student plans via API

Enable eligible universities with an existing Keeper Enterprise license to automatically provision fully-featured password manager accounts for their students.

### What Each Student Gets

* **Keeper Unlimited** — full password manager
* **BreachWatch** — dark web monitoring
* **10 GB encrypted file storage**

### Important Information

> ⚠️ <mark style="color:$primary;">**Secondary domain required.**</mark> <mark style="color:$primary;"></mark><mark style="color:$primary;">Student accounts cannot use the university's primary domain (e.g.</mark> <mark style="color:blue;">`@university.edu`</mark><mark style="color:$primary;">). You must use a secondary or alias domain such as</mark> <mark style="color:blue;">`@students.university.edu`</mark> <mark style="color:$primary;">to keep student accounts separate from your enterprise.</mark>

> 🚫 <mark style="color:$primary;">**Student accounts are independent — not managed by your Enterprise.**</mark> <mark style="color:$primary;"></mark><mark style="color:$primary;">You cannot enforce 2FA, audit vaults, or reset accounts. Students own their accounts like a personal subscription. If you need admin control, students must be added as</mark> <mark style="color:$primary;"></mark><mark style="color:$primary;">**paid users within your Enterprise plan**</mark> <mark style="color:$primary;"></mark><mark style="color:$primary;">instead.</mark>

***

## Setup Guide

### Step 1 — Confirm Prerequisites

Make sure you have:

* An active Keeper Enterprise license
* A secondary/alias email domain for students (e.g. <mark style="color:blue;">`@students.university.edu`</mark>)
* An IT developer who can make a REST API call

***

### Step 2 — Request API Credentials from Keeper

Contact your Keeper account representative and ask for:

* **Partner Name** — your university's identifier in Keeper's system
* **Partner Secret** — a secret string used to generate a secure hash per request

Keeper will share these securely via a Keeper record.

{% hint style="success" %}
You cannot proceed without these two values. Contact your Keeper representative if you haven't received them.
{% endhint %}

***

### Step 3 — Understand the API Call

Each student account is created with a single GET request:

```
GET https://keepersecurity.com/bi_api/v1/services/partner/create-license
```

#### Parameters

<table><thead><tr><th width="145.2265625">Name</th><th width="87.9921875">Type</th><th width="232.2578125">Description</th><th>Notes</th></tr></thead><tbody><tr><td><mark style="color:$warning;"><code>first_name</code></mark></td><td>string</td><td>Student's first name</td><td>Required</td></tr><tr><td><mark style="color:$warning;"><code>last_name</code></mark></td><td>string</td><td>Student's last name</td><td>Optional</td></tr><tr><td><mark style="color:$warning;"><code>email</code></mark></td><td>string</td><td>Student's email address</td><td>Required — must use secondary domain</td></tr><tr><td><mark style="color:$warning;"><code>transaction_id</code></mark></td><td>string</td><td>A unique ID you assign per request</td><td>Required — for your own records, e.g. <mark style="color:blue;"><code>UNIV-2024-00123</code></mark></td></tr><tr><td><mark style="color:$warning;"><code>hash</code></mark></td><td>string</td><td>SHA-256 security hash (see below)</td><td>Required</td></tr><tr><td><mark style="color:$warning;"><code>partner_name</code></mark></td><td>string</td><td>Your Partner Name provided by Keeper</td><td>Required</td></tr><tr><td><mark style="color:$warning;"><code>product_type</code></mark></td><td>integer</td><td>Always <mark style="color:$warning;"><code>4</code></mark> for student plans</td><td>Required — fixed value</td></tr></tbody></table>

**Generating the hash:** Concatenate the student's email and your Partner Secret, then hash with SHA-256:

```
hash = SHA256.hexdigest.bytesToHex(email + secret)
```

Command line:

```bash
echo -n "student@students.university.edu+PARTNER_SECRET" | openssl dgst -sha256
```

#### **Raw GET request example:**

```http
GET https://keepersecurity.com/bi_api/v1/services/partner/create-license?product_type=4&transaction_id=UNIV-2024-00123&first_name=Jane&last_name=Smith&email=student@students.university.edu&hash=b94f6f125c79e3a5ffaa826f584c10d52ada669e6762051b826b55776d05a8d4&partner_name=YOUR_PARTNER_NAME
```

#### **Response**

<table><thead><tr><th width="122.234375">CODE</th><th width="157.47265625">STATUS</th><th>MEANING</th></tr></thead><tbody><tr><td><mark style="color:$warning;"><code>200</code></mark></td><td>✅ Success</td><td>Account created — use the <mark style="color:blue;"><code>vault_url</code></mark> in the response to send the activation link to the student</td></tr><tr><td><mark style="color:$warning;"><code>400</code></mark></td><td>❌ Bad Request</td><td>A required field is missing or malformed</td></tr><tr><td><mark style="color:$warning;"><code>401</code></mark></td><td>❌ Unauthorized</td><td>Hash is wrong — check that you concatenate <mark style="color:$warning;"><code>email + secret</code></mark> in that exact order with no spaces</td></tr></tbody></table>

Examples:

{% tabs %}
{% tab title="200" %}

```json
{
  "success": true,
  "order_number": "12345678-1234",
  "vault_url": "keepersecurity.com/vault/#"
}
```

{% endtab %}

{% tab title="400" %}

```json
{
  "success": false,
  "message": "Invalid request - Missing required fields"
}
```

{% endtab %}

{% tab title="401" %}

```json
{
  "success": false,
  "message": "Invalid Hash Value - UnAuthorized"
}
```

{% endtab %}
{% endtabs %}

***

### Step 4 — Implement the Integration

Trigger this API call for each new student — for example, during enrollment. Below is a working Node.js sample:

```js
// npm install request crypto-js
var request = require('request');
var CryptoJS = require('crypto-js');

// Credentials from Keeper
var secret = 'PARTNER_SECRET';
var partner_name = 'PARTNER_NAME';

// Student details
var email = 'EMAIL';
var first_name = 'FIRST_NAME';
var last_name = 'LAST_NAME';
var transaction_id = 'TRANSACTION_ID';

// Generate hash: SHA256(email + secret)
var hash = CryptoJS.SHA256(email + secret);

var options = {
  'method': 'GET',
  'url': 'https://keepersecurity.com/bi_api/v1/services/partner/create-license?product_type=4&transaction_id='+transaction_id+'&first_name='+first_name+'&last_name='+last_name+'&email='+email+'&hash='+hash+'&partner_name='+partner_name+'',
  'headers': {
      'Content-Type': 'application/json'
  }
  };

  request(options, function (error, response) {
      if (error) console.log("Error From the server: "+error);
      console.log("response body: "+response.body);
      console.log("response status: "+response.statusCode);
  });
```

***

### Step 5 — Student Activates Their Account

Once provisioned, you can send the <mark style="color:blue;">`vault_url`</mark> from the response to the student. The student sets their own Master Password — the university has no access to their vault.

***

### Step 7 — Renew Licenses Annually

Each license is valid for **1 year**. If your enterprise is eligible Keeper will auto renew the student account automatically.

***

## Example — Full Automation in Practice

The API is simple enough to integrate into an automated provisioning pipeline. Here is an example of how a university might implement it end to end:

1. **Query the student database.** A scheduled script runs nightly and pulls all currently enrolled students who do not yet have a Keeper account. Students already provisioned are excluded automatically.
2. **Call the Keeper API.** For each new student, the script generates the hash and sends the API request.
3. **Capture the activation link.** The <mark style="color:blue;">`vault_url`</mark> returned in the success response is extracted directly, giving the university full control over how it is delivered.
4. **Send a branded activation email.** The link is sent via the university's own email system, using institutional branding and messaging.
5. **Log the result.** Each successfully provisioned student is recorded in an internal log, so they are excluded from the next nightly run.

With this setup, new students receive their Keeper account automatically within 24 hours of enrollment — no manual IT effort required. A single developer can typically build and deploy this kind of integration in a matter of days.

### Additional API Details

#### API Parameters

For more information on the required parameters, visit:&#x20;

{% content-ref url="../api-troubleshooting/api-parameters" %}
[api-parameters](https://docs.keeper.io/en/enterprise-guide/api-troubleshooting/api-parameters)
{% endcontent-ref %}

#### API Response codes

For more information on the response codes, visit:

{% content-ref url="../api-troubleshooting/api-response-codes" %}
[api-response-codes](https://docs.keeper.io/en/enterprise-guide/api-troubleshooting/api-response-codes)
{% endcontent-ref %}

#### API Explorer

If you wish to explore the APIs in another tool like postman or the [swagger editor](https://editor.swagger.io/), download the associated YAML definition of the APIs below

For more information on exploring the API with swagger, visit:

{% content-ref url="../api-troubleshooting/api-explorer-swagger" %}
[api-explorer-swagger](https://docs.keeper.io/en/enterprise-guide/api-troubleshooting/api-explorer-swagger)
{% endcontent-ref %}

{% hint style="info" %}
If you need support or have additional questions on the usage of these APIs, please contact support or your sales representative.
{% endhint %}