FAQs

clock 4-minute read calender updated Sep. 25, 2025

Knowing is half the battle

Most of the answers you can find in our content, but some information is worth calling out. Here in Frequently Asked Questions (FAQs), KeyBank answers common inquiries and provides useful insights to equip you with the right knowledge.

Categories

Any commercial DDA account (like CBA, CDA, Sweep, ZBA, etc.) is supported once you have completed onboarding and are authorized to access the API.

Yes. You can have a zero-balance account. With our Payments APIs, you set up a zero-balance account to receive funds or use the account with our Inquiry APIs to track and report data. Zero-balance accounts are a great option to perform common tasks, simplify financial management, and minimize risk.

Pretty much! Bearer token is a more formal term for access token. Essentially, tokens are the primary way to access an API secured with OAuth 2.0. Only authenticated users with client credentials can request a token.
OAuth 2.0 is the industry-standard protocol for secure authorization and controlled API access. Once successfully authenticated with the API keys above, the authorization server issues an access token directly to the client. We use bearer tokens as our access tokens. This bearer token can then be used to make authorized requests to our APIs. Bearer tokens must be refreshed every 24 hours.

Use your KeyBank credentials to get an access token. Run the following cURL command. The certificate files must be identified in the first line. Application credentials are Base64 encoded and used with your client credentials to get an access token.

curl -X POST --cert {{client.crt}} --key {{client.key}} --cacert {{ca.crt}} \
'https://{{HOST}}/oauth/v1/token' \
-H 'Authorization: Basic {{base64(CONSUMER_KEY:CONSUMER_SECRET)}}' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'X-CorrelationId: {{transaction identifier at overall system level}}' \
-d 'Id={{CLIENT_ID}}&Key={{CLIENT_SECRET}}&grant_type=client_credentials'

Note: Replace the placeholders (e.g., {{client.crt}}) with your actual certificate and credential values.

When you request an access token, the response includes an attribute called api_product_list. Review this field to see which APIs you have access to. If you need access to another API product, contact your Technical Account Manager.

Most likely, you are correctly authenticated to access our APIs, but do not have authorization for the API product you are trying to use. Here’s how to troubleshoot:

  1. Review your token response and look at the api_product_list field. This lists which APIs you have access to. If you don’t see the API listed, use our client support form to request this API product.
  2. Verify system security settings.
    • Make sure your IP addresses are correct. Sometimes IP addresses change with a proxy.
    • Confirm that your certificates are valid and saved in your trust store.
  3. If you still get an error, reach out to your Technical Account Manager or use our client support request form. Support will contact you with information about your status and current authorized products.

Certificates are electronic documents that verify your identity. Your certificate cannot be self-signed; it must be issued and signed by a publicly trusted certificate authority.

Think of a digital certificate like a virtual ID card for a website, or in this case, the developer portal. When the client connects to the site, the certificate legitimizes the client’s identity. When the client wants to transfer data on a cloud network, the certificate helps encrypt the data.

Connection to the KeyBank network requires a mutual TLS two-way authentication mechanism that uses digital certificates signed using the public key infrastructure (PKI) framework. Therefore, KeyBank requires a public certificate chain from the client that meets the following requirements:

  • Only one certificate is required for all APIs.
  • The certificate must have a CSR and private key.
  • The certificate chain must include the root, intermediate, and leaf.
  • The certificate can be in any format, like *.pem, *.crt, or *.cer.
  • Certificates cannot be self-signed.
  • The certificate must be issued by a trusted certificate authority organization like DigiCert.
A digital notary for certificates issued by a trusted third party. KeyBank recommends DigiCert, Verisign, Comodo, Entrust, GeoTrust, GlobalSign, GoDaddy, SecureTrust, or USERTrust (Sectigo).
Absolutely. This is a regular operational activity, and all clients are informed via secure email. This communication is sent 30-60 days prior to certificates changes to any environment.

The uuid parameter stands for Universally Unique Identifier. This is a useful attribute to recall a transaction before the next batch cycle runs. You create this value. The can be an alphanumeric value with a maximum length of 45 characters. For example, a random UUID value can be 5ea39056-49ab-4714-b941-e52b1bec7. The batch and the individual UUID can be the same. KeyBank recommends that you use different UUID values.

Note: Since the UUID field is required to undo an ACH payment request, KeyBank strongly encourages the UUID is included with all ACH Origination calls.

The X-CorrelationId parameter is a unique identifier created for each API operation. This ID is returned in an error response so you can trace the transaction among the chain of API operations in event logs. The system automatically generates a random alphanumeric ID in the response.

If an API service is down, KeyBank will immediately communicate that information by email. The Developer Portal will also display a banner with possible additional information on our Announcements page.

If you are experiencing issues and have not received any communication, contact your Technical Account Manager directly.

In any situation, we aim to provide information in a timely and efficient manner, depending on the circumstance.

  1. If there is a major upgrade approaching, we will provide notice and any client-action information three or more weeks in advance. This communication will be shared via email and also available on our Announcements page.
  2. For service interruptions due to operational maintenance, we typically give one-week notice in advance by email as well as on the Developer Portal banner.
  3. In the event of an emergency downtime, the notice period will be shorter. An email will be sent out to clients immediately, with the Developer Portal banner and possible related content to be updated soon after.

Use the client support form to submit an issue. There is a text field in the form that will allow you to paste the cURL command or the request body text. However, this field is limited. Once a support member has contacted you, reply to the secure email with the following information:

Once a support member has contacted you, reply to the secure email with the following information:

  • Share the complete cURL command.
  • Screenshot from the API tool (like Postman) or text file with the URL path and header parameters.
  • Screenshot or text file of the request and response payloads.

All information should be shared securely through trusted and encrypted communication channels. If this is an urgent or immediate matter, contact your Technical Account Manager directly.