Provision Student plans via API

A Guide for Universities with Keeper Enterprise

Enable eligible universities with an existing Keeper Enterprise license to automatically provision fully-featured password manager accounts for their students.

What Each Student Gets

Keeper Unlimited — full password manager
BreachWatch — dark web monitoring
10 GB encrypted file storage

Important Information

⚠️ Secondary domain required. Student accounts cannot use the university's primary domain (e.g. @university.edu). You must use a secondary or alias domain such as @students.university.edu to keep student accounts separate from your enterprise.

🚫 Student accounts are independent — not managed by your Enterprise. You cannot enforce 2FA, audit vaults, or reset accounts. Students own their accounts like a personal subscription. If you need admin control, students must be added as paid users within your Enterprise plan instead.

Setup Guide

Step 1 — Confirm Prerequisites

Make sure you have:

An active Keeper Enterprise license
A secondary/alias email domain for students (e.g. @students.university.edu)
An IT developer who can make a REST API call

Step 2 — Request API Credentials from Keeper

Contact your Keeper account representative and ask for:

Partner Name — your university's identifier in Keeper's system
Partner Secret — a secret string used to generate a secure hash per request

Keeper will share these securely via a Keeper record.

You cannot proceed without these two values. Contact your Keeper representative if you haven't received them.

Step 3 — Understand the API Call

Each student account is created with a single GET request:

GET https://keepersecurity.com/bi_api/v1/services/partner/create-license

Parameters

Name

Type

Description

Notes

first_name

string

Student's first name

Required

last_name

string

Student's last name

Optional

email

string

Student's email address

Required — must use secondary domain

transaction_id

string

A unique ID you assign per request

Required — for your own records, e.g. UNIV-2024-00123

hash

string

SHA-256 security hash (see below)

Required

partner_name

string

Your Partner Name provided by Keeper

Required

product_type

integer

Always 4 for student plans

Required — fixed value

Generating the hash: Concatenate the student's email and your Partner Secret, then hash with SHA-256:

hash = SHA256.hexdigest.bytesToHex(email + secret)

Command line:

echo -n "student@students.university.edu+PARTNER_SECRET" | openssl dgst -sha256

Raw GET request example:

GET https://keepersecurity.com/bi_api/v1/services/partner/create-license?product_type=4&transaction_id=UNIV-2024-00123&first_name=Jane&last_name=Smith&email=student@students.university.edu&hash=b94f6f125c79e3a5ffaa826f584c10d52ada669e6762051b826b55776d05a8d4&partner_name=YOUR_PARTNER_NAME

Response

CODE

STATUS

MEANING

200

✅ Success

Account created — use the vault_url in the response to send the activation link to the student

400

❌ Bad Request

A required field is missing or malformed

401

❌ Unauthorized

Hash is wrong — check that you concatenate email + secret in that exact order with no spaces

Examples:

{
  "success": true,
  "order_number": "12345678-1234",
  "vault_url": "keepersecurity.com/vault/#"
}

Step 4 — Implement the Integration

Trigger this API call for each new student — for example, during enrollment. Below is a working Node.js sample:

// npm install request crypto-js
var request = require('request');
var CryptoJS = require('crypto-js');

// Credentials from Keeper
var secret = 'PARTNER_SECRET';
var partner_name = 'PARTNER_NAME';

// Student details
var email = 'EMAIL';
var first_name = 'FIRST_NAME';
var last_name = 'LAST_NAME';
var transaction_id = 'TRANSACTION_ID';

// Generate hash: SHA256(email + secret)
var hash = CryptoJS.SHA256(email + secret);

var options = {
  'method': 'GET',
  'url': 'https://keepersecurity.com/bi_api/v1/services/partner/create-license?product_type=4&transaction_id='+transaction_id+'&first_name='+first_name+'&last_name='+last_name+'&email='+email+'&hash='+hash+'&partner_name='+partner_name+'',
  'headers': {
      'Content-Type': 'application/json'
  }
  };

  request(options, function (error, response) {
      if (error) console.log("Error From the server: "+error);
      console.log("response body: "+response.body);
      console.log("response status: "+response.statusCode);
  });

Step 5 — Student Activates Their Account

Once provisioned, you can send the vault_url from the response to the student. The student sets their own Master Password — the university has no access to their vault.

Step 7 — Renew Licenses Annually

Each license is valid for 1 year. If your enterprise is eligible Keeper will auto renew the student account automatically.

Example — Full Automation in Practice

The API is simple enough to integrate into an automated provisioning pipeline. Here is an example of how a university might implement it end to end:

Query the student database. A scheduled script runs nightly and pulls all currently enrolled students who do not yet have a Keeper account. Students already provisioned are excluded automatically.
Call the Keeper API. For each new student, the script generates the hash and sends the API request.
Capture the activation link. The vault_url returned in the success response is extracted directly, giving the university full control over how it is delivered.
Send a branded activation email. The link is sent via the university's own email system, using institutional branding and messaging.
Log the result. Each successfully provisioned student is recorded in an internal log, so they are excluded from the next nightly run.

With this setup, new students receive their Keeper account automatically within 24 hours of enrollment — no manual IT effort required. A single developer can typically build and deploy this kind of integration in a matter of days.

Additional API Details

API Parameters

For more information on the required parameters, visit:

API Parameters

API Response codes

For more information on the response codes, visit:

API Response Codes

API Explorer

If you wish to explore the APIs in another tool like postman or the swagger editor, download the associated YAML definition of the APIs below

For more information on exploring the API with swagger, visit:

API Explorer - Swagger

If you need support or have additional questions on the usage of these APIs, please contact support or your sales representative.

PreviousProvision Family plans via API NextAPI Troubleshooting

Last updated 3 months ago