Skip to content
API Reference
API Reference
Zones

Get zone

zones.retrieve(strzone_id, ZoneRetrieveParams**kwargs) -> Zone
GET/zones/{zoneId}

Returns details of a specific zone by ID

ParametersExpand Collapse
zone_id: str
expand: Optional[Union[Literal["permissions"], List[Literal["permissions"]]]]
Accepts one of the following:
Literal["permissions"]
List[Literal["permissions"]]
ReturnsExpand Collapse
class Zone:

A zone for organizing resources within an organization

id: str

Unique identifier of the zone

created_at: datetime

Entity creation timestamp

formatdate-time
name: str

Human-readable name

minLength1
maxLength255
organization_id: str

Organization that owns this zone

protocols: Protocols

Protocol configuration for a zone

oauth2: ProtocolsOauth2

OAuth 2.0 protocol configuration for a zone

authorization_endpoint: str

OAuth 2.0 authorization endpoint

formaturi
authorization_server_metadata: str

OAuth 2.0 Authorization Server Metadata endpoint (.well-known/oauth-authorization-server)

formaturi
dcr_enabled: bool

Whether Dynamic Client Registration is enabled

issuer: str

OAuth 2.0 issuer identifier

formaturi
jwks_uri: str

JSON Web Key Set endpoint

formaturi
pkce_required: bool

Whether PKCE is required for authorization code flows

redirect_uri: str

OAuth 2.0 redirect URI for this zone

formaturi
registration_endpoint: str

OAuth 2.0 Dynamic Client Registration endpoint

formaturi
token_endpoint: str

OAuth 2.0 token endpoint

formaturi
openid: ProtocolsOpenid

OpenID Connect protocol configuration for a zone

provider_configuration: str

OpenID Connect Provider Configuration endpoint (.well-known/openid-configuration)

formaturi
userinfo_endpoint: str

OpenID Connect UserInfo endpoint

formaturi
slug: str

URL-safe identifier, unique within the zone

minLength1
maxLength63
updated_at: datetime

Entity update timestamp

formatdate-time
default_mcp_gateway_application_id: Optional[str]

Application ID configured as the default MCP Gateway for the zone

default_resource_id: Optional[str]

Resource ID configured as the default resource for the zone

description: Optional[str]

Human-readable description

maxLength2048
encryption_key: Optional[EncryptionKeyAwsKmsConfig]

AWS KMS configuration for zone encryption. When not specified, the default Keycard Cloud encryption key will be used.

arn: str

AWS KMS Key ARN for encrypting the zone's data

minLength1
type: Literal["aws"]
login_flow: Optional[Literal["default", "identifier_first"]]

Login flow style for the zone. 'default' uses standard authentication, 'identifier_first' uses identifier-based provider routing.

Accepts one of the following:
"default"
"identifier_first"
permissions: Optional[Dict[str, Dict[str, bool]]]

Permissions granted to the authenticated principal. Only populated when expand[]=permissions query parameter is provided. Keys are resource types, values are objects mapping action names to boolean values.

requires_invitation: Optional[bool]

Whether the zone requires an invitation for email/password registration, only applies when user_identity_provider_id is not set

user_identity_provider_id: Optional[str]

Provider ID configured for user login

Get zone

from keycardai_api import KeycardAPI

client = KeycardAPI()
zone = client.zones.retrieve(
    zone_id="zoneId",
)
print(zone.id)
{
  "id": "id",
  "created_at": "2019-12-27T18:11:19.117Z",
  "name": "x",
  "organization_id": "organization_id",
  "protocols": {
    "oauth2": {
      "authorization_endpoint": "https://example.com",
      "authorization_server_metadata": "https://example.com",
      "dcr_enabled": true,
      "issuer": "https://example.com",
      "jwks_uri": "https://example.com",
      "pkce_required": true,
      "redirect_uri": "https://example.com",
      "registration_endpoint": "https://example.com",
      "token_endpoint": "https://example.com"
    },
    "openid": {
      "provider_configuration": "https://example.com",
      "userinfo_endpoint": "https://example.com"
    }
  },
  "slug": "slug",
  "updated_at": "2019-12-27T18:11:19.117Z",
  "default_mcp_gateway_application_id": "default_mcp_gateway_application_id",
  "default_resource_id": "default_resource_id",
  "description": "description",
  "encryption_key": {
    "arn": "x",
    "type": "aws"
  },
  "login_flow": "default",
  "permissions": {
    "zones": {
      "read": true,
      "update": true,
      "delete": false,
      "create": false
    },
    "applications": {
      "read": true,
      "list": true,
      "create": false
    }
  },
  "requires_invitation": true,
  "user_identity_provider_id": "user_identity_provider_id"
}
Returns Examples
{
  "id": "id",
  "created_at": "2019-12-27T18:11:19.117Z",
  "name": "x",
  "organization_id": "organization_id",
  "protocols": {
    "oauth2": {
      "authorization_endpoint": "https://example.com",
      "authorization_server_metadata": "https://example.com",
      "dcr_enabled": true,
      "issuer": "https://example.com",
      "jwks_uri": "https://example.com",
      "pkce_required": true,
      "redirect_uri": "https://example.com",
      "registration_endpoint": "https://example.com",
      "token_endpoint": "https://example.com"
    },
    "openid": {
      "provider_configuration": "https://example.com",
      "userinfo_endpoint": "https://example.com"
    }
  },
  "slug": "slug",
  "updated_at": "2019-12-27T18:11:19.117Z",
  "default_mcp_gateway_application_id": "default_mcp_gateway_application_id",
  "default_resource_id": "default_resource_id",
  "description": "description",
  "encryption_key": {
    "arn": "x",
    "type": "aws"
  },
  "login_flow": "default",
  "permissions": {
    "zones": {
      "read": true,
      "update": true,
      "delete": false,
      "create": false
    },
    "applications": {
      "read": true,
      "list": true,
      "create": false
    }
  },
  "requires_invitation": true,
  "user_identity_provider_id": "user_identity_provider_id"
}