The American Banking Association (ABA) developed the routing transit number (RTN), a nine-digit code that identifies a financial institution in the US. ABA is often the bank’s routing number. 

A unique code generated with your application and client credentials that permits use of the APIs. This is also known as a bearer token. This token is required in the Authorization header for every API call over a secure TLS connection. Tokens remain valid for one day. 

The individual or business entity that has legal ownership of a financial account. The account owner is responsible for the account and has the authority to perform actions such as deposits and withdrawals.

The Automated Clearing House (ACH) is an electronic network in the US that processes financial transactions like direct deposit, payments, B2B transfers, acting as a central clearing system for banks to securely and efficiently exchange funds. 

The central clearing facility managed by the Federal Reserve Bank.ility managed by the Federal Reserve Bank.

The KeyBank processing system for ACH transactions that gathers, sorts, batches, and verifies the transactions prior to sending it to the ACH Operator. 

Data records that have additional information about the payment transaction like remittance information.

Account Ownership Authentication (AOA) is a process used to verify that the person or entity attempting to use a bank account is its legitimate owner. It ensures that the account details provided (such as name, address, date of birth, and other identifiers) match authoritative data sources before allowing transactions. This is part of the Account Validation API. 

Application Programming Interface (API) is a documented interface between two systems to exchange information in a commonly agreed upon format. KeyBank uses REST APIs with JSON payloads using HTTPS protocol.

An authorized user of the API developer portal that has provisioned credentials (API keys) and permission to use our APIs.

Application and client credentials required to access and use our APIs.

Client-specific identification and password that verify you are authorized to access KeyBank APIs. Application credentials (consumer key and consumer secret) are used with client credentials to obtain an access token, both provided during onboarding.

The American Standard Code for Information Interchange (ASCII) is a character encoding standard that assigned numeric codes (0-127) to letters (A-Z, a-z), digits (0-9), punctuation marks, and control characters. ASCII is used with banking APIs to ensure interoperability with clearing houses and payment networks that may mandate ASCII-only formats. 

Part of the entitlement process to verify your identity with KeyBank client credentials.

Part of the entitlement process to permit use of the APIs with application credentials. 

B2B stands for business-to-business, signifying that the transaction is directly between to companies.

Banking as a Service (BaaS) is a financial technology model that gives non-banking businesses (like fintech and third-party vendors) the ability to make payments or manage accounts through APIs provided by licensed banks. 

The Bank Administration Institute (BAI) is the standard format for electronic cash management reporting. BAI uses numeric codes to represent types of reporting information to help with reconciliation and integration with treasury or ERP systems. This is commonly used with previous day and intraday reporting for secure file transfers and APIs.

A software method of running a series of jobs to collect and group similar queries or data sets, typically set to run automatically to a schedule. This is an effective process for running high-volume, repetitive jobs.

A unique code generated with your application and client credentials that permits use of the APIs. This is also known as a bearer token. This token is required in the Authorization header for every API call over a secure TLS connection. Tokens remain valid for one day.

The Bank Identifier Code (BIC) is an standard code used to identify financial institutions in global transactions. This is also referred to as a SWIFT code. It is essential for routing payments and addressing messages in cross-border banking.

The Bank Identification Number (BIN) is the first 6 to 8 digits of a payment card number that identify the issuing bank, card brand, card type, and country of origin. BINs are necessary for payment routing, fraud prevention, and card validation.

The Certificate Authority (CA) is an Trusted third-party entity that issues, signs, and stores a certificate. It also binds the certificate to keys to encrypt and authenticate communication. CAs prevent impersonation and bad actions with increased web security.

The Corporate Credit or Debit (CCD) is an ACH payment format used for B2B transactions. It enables electronic transfer of funds between corporate accounts, often for vendor payments or intra-company transfers. 

Controlled Disbursement Account (CDA) is a cash management account that provides business with early day notification of checks clearing, giving control over funding needs and cash flow management.

An issued and signed digital contract that permits the connection between servers and their resources (like applications).

Certificates provide a digital signature and encrypted system information to support secure communication between servers, app to server, and human to app. You must exchange certificates with KeyBank before using our APIs.

Customer Identification Number (CIN) is an unique identifier assigned by banks to their customers for identity verification and compliance with regulatory requirements.

Consumer Identification Unit (CIU) is a program for financial institutions to verify customer identities to prevent fraudulent behaviors. It helps banks know who their customers are before opening or connecting with an account.

Customer Information Exchange refers to systems or platforms that exchange customer-related information between financial institutions.

The primary system for sending batches of electronic credit and debit transfers between banks and credit unions.

The application or site that uses KeyBank APIs. A client is controlled by verified, authenticated users who have onboarded with KeyBank.

A unique identification and password required to verify the API consumer's identity.  Client credentials (client ID and client secret) are provided during onboarding.

The program instructions for the API that shows how the API request and response are in JSON format.

Provides small examples of code in JSON data format.

Status for ACH transactions that have been successfully consolidated and batch by KeyBank before sending the transactions to the ACH Operator for payment processing.

Code returned in the Account Validation API response that determines if the account was validated fully or partially based on match indicators and custom acceptance thresholds.

The action of grouping transactions and related data by a group a data sets. Consolidation can involve conversion from one file format to another.

The Check Processing Control System (CPCS) describe banks or systems dedicated to handling and clearing checks to ensure accurate and timely settlement for paper-based transactions.

Unique identifiers that authenticate and authorize resources and clients to access and use KeyBank APIs. Credentials can include your keys, token, or certificates.

To push funds to other accounts.

The Corporate Trade Exchange (CTX) is an type of ACH payment for B2B transactions that require detailed remittance information. CTX support multiple addenda records making it Ideal for payments covering multiple invoices.

The client URL (cURL) is a command line tool that sends data between two systems like web systems or application to server.

Demand Deposit Account (DDA) is a bank account that you can withdraw funds from at any time without prior notice. This is typically a checking account.

To pull funds from an account.

An item that is no longer relevant or needed. Any deprecated fields or schemas in the API specifications are removed.

Designated Financial Institution (DFI) is a financial institution like a bank or credit union, that has been officially assigned to receive and manage specific funds for a particular purpose. Designation implies that the institution has been vetted to handle such transaction securely and appropriately. 

A domain is a group of computers and devices using the same group of resources. A domain name identified the IP address or web URL associated with those resources and can be used to authenticate use and access permissions.

Electronic Funds Transfer (EFT) is the digital transfer of moola between bank accounts without the use of paper checks or cash. This can include ACH payments, wire transfers, and card-based transactions.

EKU (Extended Key Usage) is like a “permission tag” inside a digital certificate that tells computers what the certificate is allowed to do. EKU is one field in a PKI. 

A TLS certificate can have different EKUs for different purposes. For example:  

• Server Authentication EKU means “this certificate can secure a website” (what you use for HTTPS).
• Client Authentication EKU means “this certificate can identify a device or user when connecting to a server” (used in mutual TLS or secure API calls).

A KeyBank line of business dedicated to taking traditional financial products and inserting them into non-financial software platforms to improve distribution, accessibility, and online data processing.

The digital location where the API receives requests and sends out responses. Each endpoint is a URL that gives the location of a resource on the API server.

Entitlements authenticate your identity and contain the authorization rules for the APIs you need to access. Part of the account entitlements are the API keys.

A data type set with a limited set of possible values and the value is constant.

A virtual space to test or publish a program. The environment can be configured by resources like the server or a cloud platform.

Extract, Transform, and Load is a data integration process to collect data from multiple sources, standardize the information, and then load it into a system like a data warehouse. ETL helps with accurate reporting and compliance for large amounts of financial data.

A problem during the execution of a program that affects its ability to function correctly. Many APIs have a schema object named exception that contains standard error information.

Financial Alerts and Case Tracking System (FACTS) is an internal system used by financial institutions to monitor, record, and resolve alerts related to suspicious activities or fraud investigations.

The EFT system operated by the twelve US Federal Reserve Banks, commonly used by banks, credit union, and federal agencies for same-day wire fund transfers.

A financial institution (FI) is an organization that facilitates financial transactions like deposits and payment services, often referring to banks, credit unions, or brokerage firms.

Short for financial technology, fintech refers to any entity that uses technology to interact with financial services or automate commands in the financial industry.

Financial National Services (FNS) refers to technology or service providers for payment processing and networks used by banks and payment systems.

The Federal Reserve Bank (FRB) is the central banking system of the US that sets monetary policies, bank supervision, and financial services like payment processing. Bank

Foreign Exchange (FX) is the process of converting once currency into another, typically for international trade, travel, or investment. This can also refer to the global market where currencies are bought and sold.

An API gateway acts as a communicator between clients and the API services that they can access. It monitors and handles authentication, authorization, rate limiting, routing, and request/response transformation.

The beginning of a request or response. For a request, the header typically includes required parameters like Authorization with the access token plus any additional client identification. For a response, it usually contains metadata about the request like date processed and transaction status. 

Basic connection call to verify that the API is receiving request and to help confirm there are no interruptions to service. A token is required for all health checks. 

A core banking system that provides real-time access to bank customer relationships to verify accounts and settle funds.

International ACH Transaction (IAT) is an ACH payment used for cross-border transactions where there is at least one financial institution is outside of the US. IAT includes additional data for compliance with regulatory bodies like OFAC.

The method for REST APIS with HTTP/S to check if a single call used multiple times has the same result. This prevents duplicate operations with APIs.

Another term for real-time payments. 

The International Organization for Standardization (ISO) is a global standards for products, services, and systems to make sure they are well-formed, consistent, and safe for transaction and information sharing.

JavaScript Object Notation (JSON) is a human-readable text format for data interchanged between servers and apps. JSON is a universal language for different programming platforms that have data structured into key-value pairs, arrays, and objects.

A string of letters and numbers that acts as a unique identifier to authenticate API calls.

There are two types of keys needed to access the API: consumer keys and client keys. Consumer keys to authenticate user access and verification the API consumer identity. Client keys to permit use and access of subscribed API products and services. API keys can also be used to track user engagement with the APIs like number of requests made and the type of requests.

A service provided by banks to streamline deposits for receiving financial institutions.

Mutual Transport Layer Security (mTLS) is a two-way authentication mechanism that uses digital certificates signed using the PKI framework.

Nacha stands for National Automated Clearing House Association, the organization responsible for managing the rules and regulations governing the ACH network in the US. The Nacha file format is used to create batch files that contain multiple transactions, like direct deposits, bill payments, and other types of electronic payments. These files are commonly used by businesses, financial institutions, and other organizations to initiate and process ACH transactions.

Non-Human Identification (NHID) is an identifier used for application processes not connected to an actual person, like service accounts or batch processing IDs. These IDs are necessary for automation and system-level operations. 

Notification of Change is an ACH message sent by the receiver’s bank to correct account or routing information for future transactions. This is not used for returns. NOC indicates that the original transaction posted successfully, but needs updates for compliance.

This environment is ideal for fine-tuning before you go live. Use integration testing to ensure your API is functioning properly and end-to-end testing to validate your build.

National Shared Database Resource  is the collection of data contributed to by consumers and used to verify account owner information.

Short for Open Authorization, OAuth 2.0 is an open standard for token-based permission to access APIs.

The Origination Depository Financial Institution (ODFI) is the financial institution of the payer or the originator.

Office of Foreign Asset Control is a US Treasury agency that enforces economic and trade sanctions against targeted countries, entities, and individuals. It is required that financial institutions screen transactions with OFAC to prevent fraudulent activities.

The process of becoming a KeyBank API consumer.

A logical organization of API product code adhering to OpenAPI standards and presented in a readable file format. This language-agnostic description enables both developers and applications to discover and fully understand an APIs capabilities and parameters.

The company or business that initiates a credit (payment) transaction to the receiver (payee). Before a transaction can be sent, the originator has authorized the receiver to credit or debit their account.

The Payment Assigned Reference (PAR) number is a unique identifier assigned by the ACH Product Processor. This is used to identify the transaction without exposing any sensitive consumer identification information.

Any participant involved in a payment transaction, like the remitter, payee, intermediary bank, or beneficiary. Each party has a defined role and related conditions in the payment flow. 

Parameter variables embedded in the API URL to identify specific resources.

The recipient of funds in a payment transaction. The payee is the entity or individual to whom money is credited.

A sequence of events to send a payment from the originator (debit party) to the receiver (credit party).

Payment Card Industry (PCI) is a set of standards and compliance requirements to secure cardholder data and transactions. 

PKI stands for Public Key Infrastructure. It’s a combination of technology, policies, and processes that allow you to securely exchange information over the internet.

Here’s the simple breakdown:

• Certificates: Digital “ID cards” that prove the identity of a website, server, or user.
• Public and Private Keys: A pair of cryptographic keys—one public, one private—that work together to encrypt and decrypt data.
• Certificate Authorities (CAs): Trusted entities (like DigiCert) that issue and validate certificates.
• Trust Model: Rules that ensure only valid certificates are trusted by browsers, apps, and systems.

In summary, PKI is the backbone of secure communication online. It ensures that when you connect to a website or API, you know who you’re talking to and that the data is encrypted.
 

Prearranged Payments and Deposits (PPD) is a type of ACH (Automated Clearing House) transaction used for consumer payments, such as direct deposits (payroll) and preauthorized bill payments. PPD entries allow businesses to debit or credit a consumer’s account with prior authorization.

The live environment where any user with web access to the application or tool can view and interact with the content/services. The production environment returns live responses with real data and real money.

Key-value pairs that are appended to the API endpoint URL to filter, sort, or customize the data returned in the response. Query parameters follow a question mark (?) in the URL.

The number of API calls allowed in a given time period. A user may be throttled when exceeding that limit.

The Receiving Depository Financial Institution (RDFI) is the financial institution of the receiver. The ACH operator processes the transactions and sends the funds to the financial institution before the money is posted to the receiver's account.

The individual or company that receives the funds. Before a transaction can be received, the receiver has authorized the originator to credit or debit their account.

The person or entity that initiates a payment or transfer of funds. The remitter is the source of the funds being sent to the beneficiary or payee.

Information returned by an API. A resource typically has multiple endpoints and methods to access the information.

REpresentational State Transfer, or sometimes referred to RESTful APIs or REST APIs, is an architectural style with design principles that provide a flexible, lightweight way to integrate applications.

When the banking application cannot process the payment, mainly due to insufficient funds, the payment is sent back to the originator.

To pull back a payment that originated erroneously. When you reverse a transaction, a debit is created on the receiver’s account.

Real-Time Payment (RTP) is an immediate, instant payment from one account to another. 

Reusable containers of parameters that can be reference in an API to complete an action or part of a set of actions.

The Standard Entry Class (SEC) code is a three-letter code for the authorization method for ACH payments.

A banking process that indicates when funds have successfully and completely transferred from ODFI to RDFI. Also known as settlement.

Secure File Transfer Protocol (SFTP) is a secure method for transferring files over a network using encryption and the Secure Shell (SSH) protocol.

Dev Portal users and API consumers can demo KeyBank’s APIs by imitating a real API server and providing realistic static mock API responses to requests. In turn, the mock simulates the data the API would return, matching schema with data types, objects, and arrays. This allows for testing connectivity prior to development.

Any character that are classified as alphabetic (A-Z, a-z) or numeric (0-9). Special characters generally include punctuation marks, symbols, or control characters. 

All special characters are allowed in most cases. The following special characters are allowed if properly escaped: *#@&-_,./\""

Society of Worldwide Interbank Financial Telecommunication (SWIFT) is a global messaging network for secure and standardized communication between different financial institutions, typically used for wire transfer, international payment, and tradable assets.

A Technical Account Manager (TAM) is a KeyBank liaison between the technical teams and the clients needs to make sure KeyBank delivers accurate and efficient API technical solutions.

Transport Layer Security (TLS) is a cryptographic protocol that secures data transmitted over networks by providing encryption, authentication, and integrity. TLS is widely used in HTTPS and API communications to protect sensitive information.

Terms of Service is a legal agreement that outlines the rules, responsibilities, and conditions for using a service.

Transactions Per Second (TPS) is a performance metric that measures how many financial transactions a system can process in one second. It is critical for evaluating scalability and efficiency in payment systems and APIs.

An identifier returned for each ACH transaction submission that stays with the transaction through its lifecycle. The trace number is required for inquiry calls about that specific transaction.

An identifier created and associated with a transaction through its lifecycle. 

Stop an ACH payment transaction before it is collected by the ACH processor. The time window to stop an ACH payment is configurable.

A universal character encoding standard that supports text representation for most language and symbols. For APIs, it is common to use UTF-8 because it can handle multilingual text consistently and is backwards compatible with ASCII. 

UUID stands for Universally Unique Identifier. This is a useful attribute to recall a transaction before the next batch cycle runs. You create this value. The can be an alphanumeric value with a maximum length of 45 characters. For example, a random UUID value can be 5ea39056-49gb-4714-b941-e52b1bec7. The batch and the individual UUID can be the same. KeyBank recommends that you use different UUID values.

Note, since the UUID field is required to undo an ACH payment request, KeyBank strongly encourages the UUID is included with all ACH Origination calls.

Virtual Account Management (VAM) is a cash management solution that links virtual account numbers to a physical account to help simplify reconciliation, reporting, and batching.

An event-driven notification method for one-way communication between web systems in real-time. After registration, notifications and alerts can be sent automatically upon a specific event like a payment collected or posted.

An electronic way to transfer money.

An identifier that is automatically created and attached to each API request. This ID is only used for traceability within KeyBank network and is useful for support and traceability.

YAML Ain’t a Markup Language

A file type that converts the API code in JSON format to a user-friendly data serialization language. YAML is easier way to read and review the API specifications.