Provider APIs Overview
Use Keycard to get scoped credentials for external APIs. No static secrets, no manual rotation.
Keycard issues short-lived, scoped credentials that external providers accept via Workload Identity Federation (WIF). Your application authenticates to Keycard, requests a token for a specific provider, and uses that token directly with the provider’s API. No API keys stored anywhere.
Your AppUses credential with provider
Keycard-minted access token
Provider APIShort-lived token, no secrets stored
Keycard ZoneIssues scoped credential
Provider WIFValidates JWT, returns access token
How it works
Section titled “How it works”- Register the external API as a resource in your Keycard zone and select your zone provider as the credentials issuer
- Configure the external provider to trust your zone’s OIDC issuer — each provider guide walks through this
- Your application authenticates to Keycard and requests a token scoped to the external resource
- Keycard issues a short-lived OIDC JWT signed by your zone, which the provider validates and exchanges for an access token
For the conceptual model behind access federation and brokered credentials, see Providers.
Supported providers
Section titled “Supported providers” Anthropic Dynamic credentials for Claude API via Workload Identity Federation