Provision Student plans via API

Enable eligible universities with an existing Keeper Enterprise license to automatically provision fully-featured password manager accounts for their students.

What Each Student Gets

• Keeper Unlimited — full password manager

• BreachWatch — dark web monitoring

• 10 GB encrypted file storage

Important Information

⚠️ Secondary domain required. Student accounts cannot use the university's primary domain (e.g. @university.edu). You must use a secondary or alias domain such as @students.university.edu to keep student accounts separate from your enterprise.

🚫 Student accounts are independent — not managed by your Enterprise. You cannot enforce 2FA, audit vaults, or reset accounts. Students own their accounts like a personal subscription. If you need admin control, students must be added as paid users within your Enterprise plan instead.

Setup Guide

Step 1 — Confirm Prerequisites

Make sure you have:

• An active Keeper Enterprise license

• A secondary/alias email domain for students (e.g. @students.university.edu)

• An IT developer who can make a REST API call

Step 2 — Request API Credentials from Keeper

Contact your Keeper account representative and ask for:

• Partner Name — your university's identifier in Keeper's system

• Partner Secret — a secret string used to generate a secure hash per request

Keeper will share these securely via a Keeper record.

Step 3 — Understand the API Call

Each student account is created with a single GET request:

Parameters

Generating the hash: Concatenate the student's email and your Partner Secret, then hash with SHA-256:

Command line:

Raw GET request example:

Response

Examples:

Step 4 — Implement the Integration

Trigger this API call for each new student — for example, during enrollment. Below is a working Node.js sample:

Step 5 — Student Activates Their Account

Once provisioned, you can send the vault_url from the response to the student. The student sets their own Master Password — the university has no access to their vault.

Step 7 — Renew Licenses Annually

Each license is valid for 1 year. If your enterprise is eligible Keeper will auto renew the student account automatically.

Example — Full Automation in Practice

The API is simple enough to integrate into an automated provisioning pipeline. Here is an example of how a university might implement it end to end:

1. Query the student database. A scheduled script runs nightly and pulls all currently enrolled students who do not yet have a Keeper account. Students already provisioned are excluded automatically.

2. Call the Keeper API. For each new student, the script generates the hash and sends the API request.

3. Capture the activation link. The vault_url returned in the success response is extracted directly, giving the university full control over how it is delivered.

4. Send a branded activation email. The link is sent via the university's own email system, using institutional branding and messaging.

5. Log the result. Each successfully provisioned student is recorded in an internal log, so they are excluded from the next nightly run.

With this setup, new students receive their Keeper account automatically within 24 hours of enrollment — no manual IT effort required. A single developer can typically build and deploy this kind of integration in a matter of days.

Additional API Details

API Parameters

For more information on the required parameters, visit:

API Response codes

For more information on the response codes, visit:

API Explorer

If you wish to explore the APIs in another tool like postman or the swagger editor, download the associated YAML definition of the APIs below

For more information on exploring the API with swagger, visit: