--- title: Identity Providers | Keycard description: Connect your own OAuth 2.0 identity provider to a Keycard zone --- Keycard provides [zone user authentication](/admin/zone-authentication/index.md) by default. If you want to use your own identity provider (Okta, Auth0, Google, etc.) for zone-level user authentication, follow the steps below. Note This page covers **zone-level** identity providers for authenticating users of your applications and MCP servers. For **organization-level** SSO (authenticating your team into Keycard Console), see [Single Sign-On](/admin/single-sign-on/index.md). ## Connect an Identity Provider 1. **Get your OAuth Redirect URL** - In Keycard Console, navigate to **Zone Settings** (click your zone name in the sidebar) - Copy the **OAuth 2 Redirect URL** (format: `https://.keycard.cloud/oauth/2/redirect`) - Keep this URL handy for the next step 2. **Configure your identity provider** - [Okta](#tab-panel-48) - [Auth0](#tab-panel-49) - [Google](#tab-panel-50) - [Other Provider](#tab-panel-51) **In Okta:** 1. Navigate to **Applications** → **Create App Integration** 2. Select **OIDC - OpenID Connect** and **Web Application** 3. Add the OAuth Redirect URL to **Sign-in redirect URIs** 4. Enable grant types: **Authorization Code**, **Refresh Token** 5. Assign users to the application 6. Note your **Issuer URL**, **Client ID**, and **Client Secret** **In Keycard Console:** 1. Click **Providers** in the sidebar and then ‘Add Provider’ 2. Enter **Issuer URL**: `https://your-domain.okta.com` 3. Enter **Client ID** and **Client Secret** 4. Click **Connect** **In Auth0:** 1. Navigate to **Applications** → **Create Application** 2. Select **Regular Web Application** 3. Add the OAuth Redirect URL to **Allowed Callback URLs** 4. Note your **Domain**, **Client ID**, and **Client Secret** **In Keycard Console:** 1. Click **Providers** in the sidebar and then ‘Add Provider’ 2. Enter **Issuer URL**: `https://your-tenant.auth0.com/` (include trailing `/`) 3. Enter **Client ID** and **Client Secret** 4. Click **Connect** **In Google Cloud Console:** 1. Navigate to **APIs & Services** → **Credentials** 2. Create **OAuth 2.0 Client ID** (Web application) 3. Add the OAuth Redirect URL to **Authorized redirect URIs** 4. Note your **Client ID** and **Client Secret** **In Keycard Console:** 1. Click **Providers** in the sidebar and then ‘Add Provider’ 2. Enter **Issuer URL**: `https://accounts.google.com` 3. Enter **Client ID** and **Client Secret** 4. Click **Connect** **For any OAuth 2.0 / OIDC provider:** 1. Create a web application in your provider 2. Add the OAuth Redirect URL to allowed redirect URIs 3. Enable **Authorization Code** and **Refresh Token** grant types 4. Note your provider’s issuer URL, client ID, and client secret **In Keycard Console:** 1. Click **Providers** in the sidebar and then ‘Add Provider’ 2. Enter your provider’s **Issuer URL** 3. Enter **Client ID** and **Client Secret** 4. Click **Connect** 3. **Select the identity provider for the zone** **In Keycard Console:** 1. Click **Zone Settings** in the sidebar 2. Select the **Identity Provider** dropdown 3. Select the Provider you just configured 4. Save your changes ## Troubleshooting OAuth flow fails or redirects to error page - Verify the OAuth Redirect URL is correctly added to your identity provider - Ensure your identity provider’s issuer URL is correct (include/exclude trailing `/` as required) - Check that users are assigned to the application in your identity provider