FAQs

clock 5-minute read calender updated Jan. 28, 2026

Knowing is half the battle

Most of the answers you can find in our content, but some information is worth calling out. Here in Frequently Asked Questions (FAQs), KeyBank answers common inquiries and provides useful insights to equip you with the right knowledge.

Categories

Any commercial DDA account (like CBA, CDA, Sweep, ZBA, etc.) is supported once you have completed onboarding and are authorized to access the API.

Yes. You can have a zero-balance account. With our Payments APIs, you set up a zero-balance account to receive funds or use the account with our Inquiry APIs to track and report data. Zero-balance accounts are a great option to perform common tasks, simplify financial management, and minimize risk.

Pretty much! Bearer token is a more formal term for access token. Essentially, tokens are the primary way to access an API secured with OAuth 2.0. Only authenticated users with client credentials can request a token.
OAuth 2.0 is the industry-standard protocol for secure authorization and controlled API access. Once successfully authenticated with the API keys above, the authorization server issues an access token directly to the client. We use bearer tokens as our access tokens. This bearer token can then be used to make authorized requests to our APIs. Bearer tokens must be refreshed every 24 hours.

Use your KeyBank credentials to get an access token. Run the following cURL command. The certificate files must be identified in the first line. Application credentials are Base64 encoded and used with your client credentials to get an access token.

curl -X POST --cert {{client.crt}} --key {{client.key}} --cacert {{ca.crt}} \ 'https://{{HOST}}/oauth/v1/token' \
-H 'Authorization: Basic {{base64(CONSUMER_KEY:CONSUMER_SECRET)}}' \
-H 'Content-Type: application/x-www-formurlencoded' \
-H 'X-CorrelationId: {{transaction identifier at overall system level}}' \
-d 'Id={{CLIENT_ID}}&Key={{CLIENT_SECRET}}&grant_type=client_credentials'
When you request an access token, the response includes an attribute apiProductList. Review this field to see what APIs you have access to. If you need to request another API product, contact your Payments Advisor.

Most likely, you are correctly authenticated to access our APIs, but do not have authorization for the API product you are trying to use. There is a good way to figure this out.

  1. Review your token response and look at the api_product_list_json field. This lists which APIs you have access to. If you don’t see the API listed, use our Client Support form to request this API product.
  2. Verify system security settings.
    • Make sure your IP addresses are correct. Sometimes IP addresses change with a proxy.
    • Confirm that your certificates are valid and saved in your trust store.
  3. If you still get an error, reach out to the onboarding team to get information about your status and current products.

Certificates are electronic documents that verify your identity. Your certificate cannot be self-signed. It must be issued and signed by a publicly trusted certificate authority.

Think of a digital certificate like a virtual ID card for a website, or in this case the developer portal. When the client connects to the site, the certificate legitimizes the client’s identity. When the client wants to transfer data on a cloud network, the certificate helps encrypt the data.

Connection to the KeyBank network requires a mutual TLS two-way authentication mechanism that uses digital certificates signed using the public key infrastructure (PKI) framework. Therefore, KeyBank requires a public certificate chain from the client that meets the following requirements:

  • Only one certificate is required for all APIs.
  • The certificate must have a CSR and private key.
  • The certificate chain must include the root, intermediate, and leaf.
  • The certificate can be in any format, like *.pem, *.crt, or *.cer.
  • Certificates cannot be self-signed.
  • The certificate must be issued by a trusted certificate authority organization like DigiCert.
A digital notary for certificates issued by a trusted third party. KeyBank recommends DigiCert, Verisign, Comodo, Entrust, GeoTrust, GlobalSign, GoDaddy, SecureTrust, or USERTrust (Sectigo).
Absolutely. This is a regular operational activity, and all clients are informed via secure email. This communication is sent 30-60 days prior to certificates changes to any environment.

UUID stands for Universally Unique Identifier. This is a useful attribute to recall a transaction before the next batch cycle runs. You create this value. The can be an alphanumeric value with a maximum length of 45 characters. For example, a random UUID value can be 5ea39056-49gb-4714-b941-e52b1bec7. The batch and the individual UUID can be the same. KeyBank recommends that you use different UUID values.

Note, since the UUID field is required to undo an ACH payment request, KeyBank strongly encourages the UUID is included with all ACH Origination calls.

The X-CorrelationID parameter is a unique identifier created for each API operation. This ID returns in an error response so you can trace the transaction among the chain of API operations in event logs. The system automatically generates a random alphanumeric ID in the response.

If an API service is down, KeyBank will immediately communicate that information by email. The Developer Portal will also display an banner with possible additional information in our “Announcements” section.

If you are experiencing issues and have not received any communication, contact Support immediately by emailing fintech_support@keybank.com.

In any situation, we aim to provide information in a timely and efficient manner, depending on the circumstance.

  1. If there is a major upgrade approaching, we will provide notice and any client-action information 3+ weeks in advance. This communication will be shared via email and also available on our Announcements page.
  2. For service interruptions due to operational maintenance, we typically give one-week notice in advance by email as well as on the Developer Portal banner.
  3. In the event of an emergency downtime, the notice period will be shorter. An email will be sent out to clients immediately, with the Developer Portal banner and possible related content to be updated soon after.

Use the Client Support form to submit an issue. There is a text field in the form that will allow you to paste the cURL command used or the request body text. However, this field is limited. Once a Support member has contacted you, reply to the secure email with the following information:

  • Complete cURL command.
  • Screenshot or text file of the URL path and header parameters used in your API tool, like Postman.
  • Screenshot or text file of the request and response payloads.

All information should be shared securely through trust and encrypted communication channels. If this is an urgent or immediate matter, use this email for emergency request….

All special characters are allowed in most cases. The following special characters are allowed if properly escaped:

Special characterName
*asterisk
#hash or number symbol
@at sign
&

ampersand

Note: Ampersands are not allowed in the Stop Payment request.  

-hyphen
_underscore
,comma
.period
/forward slash
\back slash
" "quotations