This guide explains how API keys, JWT authentication, and the account hierarchy work together in Nelnet Payment Services (NPS).
It also walks through how to generate API keys in the NPS Portal and how to use parent-level credentials to act on behalf of child entities.
NPS accounts are organized into a hierarchy:
- Parent nodes (platforms, institutions, or partners)
- Child nodes (merchants, sub-clients)
Each node in the hierarchy has a unique Entity ID.
Identity (API keys) and behavior (configuration) both follow the hierarchy.
Most configuration in NPS is hierarchical and inheritable.
- Configuration set at a parent level is inherited by all children
- Child nodes may override specific settings if allowed
- Examples of hierarchical configuration:
- Payment methods
- Fraud rules
- CAPTCHA enforcement
- Surcharge behavior
While configuration inheritance is managed separately from API keys, it follows the same hierarchy model.
API keys are used to:
- Create JWTs for Bearer authentication
- Call backend APIs (Payments, Reporting)
- Create tokenization sessions for the browser
A single API key pair consists of:
- API Key ID → used as the JWT
sub - API Key (secret) → used to sign the JWT
API keys are always created at a specific node in the hierarchy.
- Keys created at a parent level can be used for all child nodes
- Keys created at a child level apply only to that node
- The breadcrumb in the portal shows where you are in the hierarchy
- Request access from Client Services or Technical Support
- Portal URL:
https://portal.nelnetpay.com - You will receive an email invite
- Follow the instructions in the email to activate your account
Before creating a key:
- Log in to the portal
- Click Hierarchy in the left navigation
- Navigate to the desired node (parent or merchant)
- Confirm the breadcrumb shows the correct location
Keys are attached to the node you are currently viewing.
- Select API Key Management in the left navigation
- Click the + button on the right
- Fill out the form:
- Key Name
- JWT Token Duration (in seconds)
- Associated Services
- Submit the form
A modal will display:
- API Key ID
- API Key (secret)
The API Key secret is shown only once. Store it securely.
These values are used to create JWTs for authentication.
After creation:
- The key should appear as ACTIVE
- You can view:
- Associated services
- Expiration dates
- Last 6 characters of the key
For example when making a Payments API call, you can specify the entity you are acting as:
{
"entityId": 1325691045,
"transactionType": "SALE",
"amount": 49.99
}- The
entityIdcorresponds to a node in the hierarchy - This allows:
- Parent-level keys to process payments for child merchants
- Centralized credential management
It is valid to:
- Tokenize using parent-level credentials
- Process the payment at the merchant level using
entityId
Example flow:
- Platform creates tokenization session at parent level
- Browser tokenizes payment data
- Backend submits payment using merchant
entityId
This supports:
- Marketplaces
- PayFac models
- Multi-merchant platforms
- API keys are created and scoped to hierarchy nodes
- Parent keys can act on behalf of child entities
- JWTs are created using API Key ID + API Key
entityIdcontrols who the transaction is processed as- Configuration and behavior inherit through the same hierarchy