---
title: Zone Authentication | Keycard
description: Configuring and using Zone Authentication
---

Keycard provides zone user authentication by default. If you want to use your own identity provider (Okta, Auth0, Google, etc.) for zone-level user authentication, see [Identity Providers](/admin/identity-providers/index.md).

Note

This page covers **zone-level** authentication for authenticating users of your applications and MCP servers. For **organization-level** SSO (authenticating your team into Keycard Console), see [Single Sign-On](/admin/single-sign-on/index.md).

## Configuring and using Zone Authentication

1. **Configure Zone Authentication**

   1. In Keycard Console, navigate to **Zone Settings** (click your zone name in the sidebar)
   2. Under **Zone sign in configuration** disable **Use an external Identity Provider**, by default it is disabled.
   3. Determine whether to require invitations or not. If you disable **Require invitation to sign in to this zone**, **ANYONE** with a URL to the zone will be able to sign up without an invitation and access zone applications and MCP servers.
   4. Click **Save Changes**

2. **Invite Users**

   This step is optional if you disabled **Require invitation to sign in to this zone** in the previous step.

   1. In Keycard Console, in the sidebar under **Activity**, click **Users**
   2. Click **Invite User**
   3. Enter email addresses of anyone you’d like to be able to use the zone.
   4. Click **Invite to zone**

   It is not necessary for the user to open their invitation email, when invitations are required, inviting them adds their email address to an allowlist of who can sign up for a zone.

3. **Use a Zone Protected Application or MCP Server / Create a Zone User Account**

   For ease of use, zone user sign up is done in-band; when a user attempts to connect to a zone provided application or MCP server, they will be prompted to login or sign up. After sign up or login if a user has not yet verified their email, they will be prompted to do so.

## Troubleshooting

Account creation fails

- If invitations are required, verify the email the user is trying to sign up with matches with a pending, non-expired invitation under **Users** -> **Invitations** in Keycard Console.
- Ensure they do not have an account, look for their email in **Users** in Keycard Console, if they have an account, instruct them to click **Forgot Password?** from the sign in page to reset their password.

Login fails

- Ensure they have an account, look for their email in **Users** in Keycard Console, if they do not have an account, invite them if needed and have them sign up. If they have an account, instruct them to click **Forgot Password?** from the sign in page to reset their password.

I verified my email, but I still am not authenticated?

- If you clicked the email verification link rather than entering the code to continue the flow, you will need to reconnect to your application or MCP server and login to the zone to proceed.