Skip to content
API Reference

Keycard Docs

The control plane for agent access to tools, APIs, and data

Keycard Docs

Every agent gets an identity. Every tool call gets a credential. Every action gets a log.

Start here

Section titled “Start here”
START HERE

Set up Keycard and start building.

Quickstart

Run Claude Code in a Keycard-protected session, with policy enforcement and audit. After this you’ll have:

  • The Keycard CLI installed
  • Keycard configured
  • A policy-enforced agent session
  • Keycard protecting your tool calls
  • An audit log of all tool authorization decisions
How Keycard worksThe agentic access loop, federation, and authorization model. See how zones, applications, resources, and providers fit together in practice.

Learn about Keycard Concepts

Build

Section titled “Build”
BUILD WITH KEYCARD

Build delegated agents, run authorized services, create multi-agent systems, and more.

Access APIs on Behalf of UsersBuild agents that act on behalf of signed-in users, with each API call scoped to that user’s identity, permissions, and audit attribution.
Run Apps Without Static SecretsRun services without long-lived API keys. The workload’s own identity authorizes every call, with short-lived scoped credentials per request.
Grant Agent Access to APIsBuild autonomous agents and multi-agent systems where each agent has its own identity, scoped permissions, and audit trail, independent of any human.

See all Guides

CLI & SDKs

Section titled “CLI & SDKs”
CLI & SDKs

The CLI and client libraries that make your agents and tools Keycard-aware.

Keycard CLIRun coding agents in policy-enforced sessions, manage auth, and operate Keycard from your terminal
MCP SDKAdd OAuth-based authentication to your MCP server. Bearer middleware, metadata endpoints, and grant decorators in Python and TypeScript
OAuth PrimitivesLow-level OAuth 2.0 primitives for discovery, token exchange, JWT, and PKCE. Build custom flows outside MCP
Agent-to-AgentAdd Keycard authentication to the A2A protocol so one agent can delegate tasks to another while preserving the user’s identity

View Reference for Keycard tools, skills, architecture, and more

Admin

Section titled “Admin”
ADMIN

Configure and operate identity, policy, roles, SSO, audit, deployment, and billing.

Single Sign-OnBring your own IdP, such as Okta, Auth0, Google, or any OIDC provider
Roles & PermissionsWho can do what, scoped to the organization or zone
Audit Log ExportStream Keycard audit events to your SIEM or data warehouse
CatalogOne-click integrations with APIs for Gmail, Slack, GitHub, Linear, and more

Admin configuration