Zones
List zones
Create zone
Get zone
Update zone
Delete zone
ModelsExpand Collapse
EncryptionKeyAwsKmsConfig = object { arn, type } AWS KMS configuration for zone encryption. When not specified, the default Keycard Cloud encryption key will be used.
AWS KMS configuration for zone encryption. When not specified, the default Keycard Cloud encryption key will be used.
AWS KMS Key ARN for encrypting the zone's data
PageInfoPagination = object { has_next_page, has_previous_page, end_cursor, start_cursor } Pagination information
Pagination information
Whether there are more items after the current page
Whether there are items before the current page
Cursor pointing to the last item in the current page
Cursor pointing to the first item in the current page
Zone = object { id, created_at, name, 12 more } A zone for organizing resources within an organization
A zone for organizing resources within an organization
Unique identifier of the zone
Entity creation timestamp
Human-readable name
Organization that owns this zone
protocols: object { oauth2, openid } Protocol configuration for a zone
Protocol configuration for a zone
oauth2: object { authorization_endpoint, authorization_server_metadata, dcr_enabled, 6 more } OAuth 2.0 protocol configuration for a zone
OAuth 2.0 protocol configuration for a zone
OAuth 2.0 authorization endpoint
OAuth 2.0 Authorization Server Metadata endpoint (.well-known/oauth-authorization-server)
Whether Dynamic Client Registration is enabled
OAuth 2.0 issuer identifier
JSON Web Key Set endpoint
Whether PKCE is required for authorization code flows
OAuth 2.0 redirect URI for this zone
OAuth 2.0 Dynamic Client Registration endpoint
OAuth 2.0 token endpoint
openid: object { provider_configuration, userinfo_endpoint } OpenID Connect protocol configuration for a zone
OpenID Connect protocol configuration for a zone
OpenID Connect Provider Configuration endpoint (.well-known/openid-configuration)
OpenID Connect UserInfo endpoint
URL-safe identifier, unique within the zone
Entity update timestamp
Application ID configured as the default MCP Gateway for the zone
Resource ID configured as the default resource for the zone
Human-readable description
AWS KMS configuration for zone encryption. When not specified, the default Keycard Cloud encryption key will be used.
AWS KMS configuration for zone encryption. When not specified, the default Keycard Cloud encryption key will be used.
AWS KMS Key ARN for encrypting the zone's data
login_flow: optional "default" or "identifier_first"Login flow style for the zone. 'default' uses standard authentication, 'identifier_first' uses identifier-based provider routing.
Login flow style for the zone. 'default' uses standard authentication, 'identifier_first' uses identifier-based provider routing.
Permissions granted to the authenticated principal. Only populated when expand[]=permissions query parameter is provided. Keys are resource types, values are objects mapping action names to boolean values.
Whether the zone requires an invitation for email/password registration, only applies when user_identity_provider_id is not set
Provider ID configured for user login
ZonesApplications
List applications
Create application
Get application
Update application
Delete application
List application credentials
List application resources
ModelsExpand Collapse
Application = object { id, created_at, dependencies_count, 10 more } An Application is a software system with an associated identity that can access Resources. It may act on its own behalf (machine-to-machine) or on behalf of a user (delegated access).
An Application is a software system with an associated identity that can access Resources. It may act on its own behalf (machine-to-machine) or on behalf of a user (delegated access).
Unique identifier of the application
Entity creation timestamp
Number of resource dependencies
User specified identifier, unique within the zone
Human-readable name
Organization that owns this application
owner_type: "platform" or "customer"Who owns this application. Platform-owned applications cannot be modified via API.
Who owns this application. Platform-owned applications cannot be modified via API.
URL-safe identifier, unique within the zone
Entity update timestamp
Zone this application belongs to
Human-readable description
Entity metadata
Entity metadata
Documentation URL
protocols: optional object { oauth2 } Protocol-specific configuration
Protocol-specific configuration
oauth2: optional object { post_logout_redirect_uris, redirect_uris } OAuth 2.0 protocol configuration
OAuth 2.0 protocol configuration
OAuth 2.0 post-logout redirect URIs for this application
OAuth 2.0 redirect URIs for this application
ApplicationTrait = "gateway" or "mcp-provider"Traits ascribe behaviors and characteristics to an application, which may activate trait-specific user experiences, workflows, or other system behaviors
Traits ascribe behaviors and characteristics to an application, which may activate trait-specific user experiences, workflows, or other system behaviors
Metadata = object { docs_url } Entity metadata
Entity metadata
Documentation URL
MetadataUpdate = object { docs_url } Entity metadata (set to null or {} to remove metadata)
Entity metadata (set to null or {} to remove metadata)
Documentation URL (set to null to unset)
ZonesApplicationsDependencies
List application dependencies
Add application dependency
Remove application dependency
Get application dependency
ModelsExpand Collapse
Resource = object { id, application_type, created_at, 15 more } A Resource is a system that exposes protected information or functionality. It requires authentication of the requesting actor, which may be a user or application, before allowing access.
A Resource is a system that exposes protected information or functionality. It requires authentication of the requesting actor, which may be a user or application, before allowing access.
Unique identifier of the resource
application_type: "native" or "web"The expected type of client for this credential. Native clients must use localhost URLs for redirect_uris or URIs with custom schemes. Web clients must use https URLs and must not use localhost as the hostname.
The expected type of client for this credential. Native clients must use localhost URLs for redirect_uris or URIs with custom schemes. Web clients must use https URLs and must not use localhost as the hostname.
Entity creation timestamp
User specified identifier, unique within the zone
Human-readable name
Organization that owns this resource
owner_type: "platform" or "customer"Who owns this resource. Platform-owned resources cannot be modified via API.
Who owns this resource. Platform-owned resources cannot be modified via API.
URL-safe identifier, unique within the zone
Entity update timestamp
Zone this resource belongs to
An Application is a software system with an associated identity that can access Resources. It may act on its own behalf (machine-to-machine) or on behalf of a user (delegated access).
An Application is a software system with an associated identity that can access Resources. It may act on its own behalf (machine-to-machine) or on behalf of a user (delegated access).
Unique identifier of the application
Entity creation timestamp
Number of resource dependencies
User specified identifier, unique within the zone
Human-readable name
Organization that owns this application
owner_type: "platform" or "customer"Who owns this application. Platform-owned applications cannot be modified via API.
Who owns this application. Platform-owned applications cannot be modified via API.
URL-safe identifier, unique within the zone
Entity update timestamp
Zone this application belongs to
Human-readable description
Entity metadata
Entity metadata
Documentation URL
protocols: optional object { oauth2 } Protocol-specific configuration
Protocol-specific configuration
oauth2: optional object { post_logout_redirect_uris, redirect_uris } OAuth 2.0 protocol configuration
OAuth 2.0 protocol configuration
OAuth 2.0 post-logout redirect URIs for this application
OAuth 2.0 redirect URIs for this application
ID of the application that provides this resource
A Provider is a system that supplies access to Resources and allows actors (Users or Applications) to authenticate.
A Provider is a system that supplies access to Resources and allows actors (Users or Applications) to authenticate.
Unique identifier of the provider
Entity creation timestamp
User specified identifier, unique within the zone
Human-readable name
Organization that owns this provider
owner_type: "platform" or "customer"Who owns this provider. Platform-owned providers cannot be modified via API.
Who owns this provider. Platform-owned providers cannot be modified via API.
URL-safe identifier, unique within the zone
Entity update timestamp
Zone this provider belongs to
OAuth 2.0 client identifier
Indicates whether a client secret is configured
Human-readable description
Provider metadata
protocols: optional object { oauth2, openid } Protocol-specific configuration
Protocol-specific configuration
oauth2: optional object { issuer, authorization_endpoint, authorization_parameters, 10 more } OAuth 2.0 protocol configuration
OAuth 2.0 protocol configuration
OIDC issuer URL used for discovery and token validation.
Custom query parameters appended to authorization redirect URLs. Use for non-standard providers (e.g. Google prompt=consent, access_type=offline).
Whether to include the resource parameter in authorization requests.
The resource parameter value to include in authorization requests. Defaults to "resource" when authorization_resource_enabled is true.
The query parameter name for scopes in authorization requests. Defaults to "scope". Slack v2 uses "user_scope".
The separator character for scope values. Defaults to " " (space). Slack v2 uses ",".
Dot-separated path to the access token in the token response body. Defaults to "access_token". Slack v2 uses "authed_user.access_token".
openid: optional object { userinfo_endpoint } OpenID Connect protocol configuration
OpenID Connect protocol configuration
type: optional "external" or "keycard-vault" or "keycard-sts"
ID of the credential provider for this resource
Human-readable description
Entity metadata
Entity metadata
Documentation URL
Scopes supported by the resource
List of resource IDs that, when accessed, make this dependency available. Only present when this resource is returned as a dependency.
ZonesApplication Credentials
List application credentials
Create application credential
Get application credential
Update application credential
Delete application credential
ModelsExpand Collapse
BaseFields = object { id, application_id, created_at, 5 more } Common fields shared by all application credential types
Common fields shared by all application credential types
Unique identifier of the credential
ID of the application this credential belongs to
Entity creation timestamp
Organization that owns this credential
URL-safe identifier, unique within the zone
Entity update timestamp
Zone this credential belongs to
An Application is a software system with an associated identity that can access Resources. It may act on its own behalf (machine-to-machine) or on behalf of a user (delegated access).
An Application is a software system with an associated identity that can access Resources. It may act on its own behalf (machine-to-machine) or on behalf of a user (delegated access).
Unique identifier of the application
Entity creation timestamp
Number of resource dependencies
User specified identifier, unique within the zone
Human-readable name
Organization that owns this application
owner_type: "platform" or "customer"Who owns this application. Platform-owned applications cannot be modified via API.
Who owns this application. Platform-owned applications cannot be modified via API.
URL-safe identifier, unique within the zone
Entity update timestamp
Zone this application belongs to
Human-readable description
Entity metadata
Entity metadata
Documentation URL
protocols: optional object { oauth2 } Protocol-specific configuration
Protocol-specific configuration
oauth2: optional object { post_logout_redirect_uris, redirect_uris } OAuth 2.0 protocol configuration
OAuth 2.0 protocol configuration
OAuth 2.0 post-logout redirect URIs for this application
OAuth 2.0 redirect URIs for this application
Token-based application credential
Token-based application credential
Identifier for this credential. For token type, this equals the subject value, or '*' when subject is not specified.
ID of the provider issuing tokens verified by this credential
A Provider is a system that supplies access to Resources and allows actors (Users or Applications) to authenticate.
A Provider is a system that supplies access to Resources and allows actors (Users or Applications) to authenticate.
Unique identifier of the provider
Entity creation timestamp
User specified identifier, unique within the zone
Human-readable name
Organization that owns this provider
owner_type: "platform" or "customer"Who owns this provider. Platform-owned providers cannot be modified via API.
Who owns this provider. Platform-owned providers cannot be modified via API.
URL-safe identifier, unique within the zone
Entity update timestamp
Zone this provider belongs to
OAuth 2.0 client identifier
Indicates whether a client secret is configured
Human-readable description
Provider metadata
protocols: optional object { oauth2, openid } Protocol-specific configuration
Protocol-specific configuration
oauth2: optional object { issuer, authorization_endpoint, authorization_parameters, 10 more } OAuth 2.0 protocol configuration
OAuth 2.0 protocol configuration
OIDC issuer URL used for discovery and token validation.
Custom query parameters appended to authorization redirect URLs. Use for non-standard providers (e.g. Google prompt=consent, access_type=offline).
Whether to include the resource parameter in authorization requests.
The resource parameter value to include in authorization requests. Defaults to "resource" when authorization_resource_enabled is true.
The query parameter name for scopes in authorization requests. Defaults to "scope". Slack v2 uses "user_scope".
The separator character for scope values. Defaults to " " (space). Slack v2 uses ",".
Dot-separated path to the access token in the token response body. Defaults to "access_token". Slack v2 uses "authed_user.access_token".
openid: optional object { userinfo_endpoint } OpenID Connect protocol configuration
OpenID Connect protocol configuration
type: optional "external" or "keycard-vault" or "keycard-sts"
Subject identifier for the token. When null or omitted, any token from the provider is accepted without checking application-specific claims.
Password-based application credential
Password-based application credential
Username for password credential, also used as OAuth 2.0 client ID
Password for credential (only returned on creation, store securely), also used as OAuth 2.0 client secret
Public key-based application credential
Public key-based application credential
Client ID for public key credential, also used as OAuth 2.0 client ID
JWKS URI to retrieve public keys from
URL-based application credential
URL-based application credential
URL of the credential (must be a valid URL)
Public credential (no secret storage)
Public credential (no secret storage)
Identifier for public credential, also used as OAuth 2.0 client ID
Password-based application credential
Password-based application credential
Username for password credential, also used as OAuth 2.0 client ID
Password for credential (only returned on creation, store securely), also used as OAuth 2.0 client secret
Public credential (no secret storage)
Public credential (no secret storage)
Identifier for public credential, also used as OAuth 2.0 client ID
Public key-based application credential
Public key-based application credential
Client ID for public key credential, also used as OAuth 2.0 client ID
JWKS URI to retrieve public keys from
Token-based application credential
Token-based application credential
Identifier for this credential. For token type, this equals the subject value, or '*' when subject is not specified.
ID of the provider issuing tokens verified by this credential
A Provider is a system that supplies access to Resources and allows actors (Users or Applications) to authenticate.
A Provider is a system that supplies access to Resources and allows actors (Users or Applications) to authenticate.
Unique identifier of the provider
Entity creation timestamp
User specified identifier, unique within the zone
Human-readable name
Organization that owns this provider
owner_type: "platform" or "customer"Who owns this provider. Platform-owned providers cannot be modified via API.
Who owns this provider. Platform-owned providers cannot be modified via API.
URL-safe identifier, unique within the zone
Entity update timestamp
Zone this provider belongs to
OAuth 2.0 client identifier
Indicates whether a client secret is configured
Human-readable description
Provider metadata
protocols: optional object { oauth2, openid } Protocol-specific configuration
Protocol-specific configuration
oauth2: optional object { issuer, authorization_endpoint, authorization_parameters, 10 more } OAuth 2.0 protocol configuration
OAuth 2.0 protocol configuration
OIDC issuer URL used for discovery and token validation.
Custom query parameters appended to authorization redirect URLs. Use for non-standard providers (e.g. Google prompt=consent, access_type=offline).
Whether to include the resource parameter in authorization requests.
The resource parameter value to include in authorization requests. Defaults to "resource" when authorization_resource_enabled is true.
The query parameter name for scopes in authorization requests. Defaults to "scope". Slack v2 uses "user_scope".
The separator character for scope values. Defaults to " " (space). Slack v2 uses ",".
Dot-separated path to the access token in the token response body. Defaults to "access_token". Slack v2 uses "authed_user.access_token".
openid: optional object { userinfo_endpoint } OpenID Connect protocol configuration
OpenID Connect protocol configuration
type: optional "external" or "keycard-vault" or "keycard-sts"
Subject identifier for the token. When null or omitted, any token from the provider is accepted without checking application-specific claims.
URL-based application credential
URL-based application credential
URL of the credential (must be a valid URL)
ZonesDelegated Grants
List delegated grants
Get delegated grant
Update delegated grant
Delete delegated grant
ModelsExpand Collapse
Grant = object { id, created_at, expires_at, 14 more } User authorization for a resource to be accessed on their behalf. The grant links the user, resource, and the provider that issued the grant.
User authorization for a resource to be accessed on their behalf. The grant links the user, resource, and the provider that issued the grant.
Unique identifier of the delegated grant
Entity creation timestamp
Date when grant expires
Organization that owns this grant
ID of the provider that issued this grant
Indicates whether a refresh token is stored for this grant. Grants with refresh tokens can be refreshed even after access token expiration.
ID of resource receiving grant
Granted OAuth scopes
status: "active" or "expired" or "revoked"
Entity update timestamp
Reference to the user granting permission
Zone this grant belongs to
Whether the grant is currently active (deprecated - use status instead)
A Provider is a system that supplies access to Resources and allows actors (Users or Applications) to authenticate.
A Provider is a system that supplies access to Resources and allows actors (Users or Applications) to authenticate.
Unique identifier of the provider
Entity creation timestamp
User specified identifier, unique within the zone
Human-readable name
Organization that owns this provider
owner_type: "platform" or "customer"Who owns this provider. Platform-owned providers cannot be modified via API.
Who owns this provider. Platform-owned providers cannot be modified via API.
URL-safe identifier, unique within the zone
Entity update timestamp
Zone this provider belongs to
OAuth 2.0 client identifier
Indicates whether a client secret is configured
Human-readable description
Provider metadata
protocols: optional object { oauth2, openid } Protocol-specific configuration
Protocol-specific configuration
oauth2: optional object { issuer, authorization_endpoint, authorization_parameters, 10 more } OAuth 2.0 protocol configuration
OAuth 2.0 protocol configuration
OIDC issuer URL used for discovery and token validation.
Custom query parameters appended to authorization redirect URLs. Use for non-standard providers (e.g. Google prompt=consent, access_type=offline).
Whether to include the resource parameter in authorization requests.
The resource parameter value to include in authorization requests. Defaults to "resource" when authorization_resource_enabled is true.
The query parameter name for scopes in authorization requests. Defaults to "scope". Slack v2 uses "user_scope".
The separator character for scope values. Defaults to " " (space). Slack v2 uses ",".
Dot-separated path to the access token in the token response body. Defaults to "access_token". Slack v2 uses "authed_user.access_token".
openid: optional object { userinfo_endpoint } OpenID Connect protocol configuration
OpenID Connect protocol configuration
type: optional "external" or "keycard-vault" or "keycard-sts"
Timestamp when this grant's tokens were last refreshed. Omitted if grant was never refreshed.
A Resource is a system that exposes protected information or functionality. It requires authentication of the requesting actor, which may be a user or application, before allowing access.
A Resource is a system that exposes protected information or functionality. It requires authentication of the requesting actor, which may be a user or application, before allowing access.
Unique identifier of the resource
application_type: "native" or "web"The expected type of client for this credential. Native clients must use localhost URLs for redirect_uris or URIs with custom schemes. Web clients must use https URLs and must not use localhost as the hostname.
The expected type of client for this credential. Native clients must use localhost URLs for redirect_uris or URIs with custom schemes. Web clients must use https URLs and must not use localhost as the hostname.
Entity creation timestamp
User specified identifier, unique within the zone
Human-readable name
Organization that owns this resource
owner_type: "platform" or "customer"Who owns this resource. Platform-owned resources cannot be modified via API.
Who owns this resource. Platform-owned resources cannot be modified via API.
URL-safe identifier, unique within the zone
Entity update timestamp
Zone this resource belongs to
An Application is a software system with an associated identity that can access Resources. It may act on its own behalf (machine-to-machine) or on behalf of a user (delegated access).
An Application is a software system with an associated identity that can access Resources. It may act on its own behalf (machine-to-machine) or on behalf of a user (delegated access).
Unique identifier of the application
Entity creation timestamp
Number of resource dependencies
User specified identifier, unique within the zone
Human-readable name
Organization that owns this application
owner_type: "platform" or "customer"Who owns this application. Platform-owned applications cannot be modified via API.
Who owns this application. Platform-owned applications cannot be modified via API.
URL-safe identifier, unique within the zone
Entity update timestamp
Zone this application belongs to
Human-readable description
Entity metadata
Entity metadata
Documentation URL
protocols: optional object { oauth2 } Protocol-specific configuration
Protocol-specific configuration
oauth2: optional object { post_logout_redirect_uris, redirect_uris } OAuth 2.0 protocol configuration
OAuth 2.0 protocol configuration
OAuth 2.0 post-logout redirect URIs for this application
OAuth 2.0 redirect URIs for this application
ID of the application that provides this resource
A Provider is a system that supplies access to Resources and allows actors (Users or Applications) to authenticate.
A Provider is a system that supplies access to Resources and allows actors (Users or Applications) to authenticate.
Unique identifier of the provider
Entity creation timestamp
User specified identifier, unique within the zone
Human-readable name
Organization that owns this provider
owner_type: "platform" or "customer"Who owns this provider. Platform-owned providers cannot be modified via API.
Who owns this provider. Platform-owned providers cannot be modified via API.
URL-safe identifier, unique within the zone
Entity update timestamp
Zone this provider belongs to
OAuth 2.0 client identifier
Indicates whether a client secret is configured
Human-readable description
Provider metadata
protocols: optional object { oauth2, openid } Protocol-specific configuration
Protocol-specific configuration
oauth2: optional object { issuer, authorization_endpoint, authorization_parameters, 10 more } OAuth 2.0 protocol configuration
OAuth 2.0 protocol configuration
OIDC issuer URL used for discovery and token validation.
Custom query parameters appended to authorization redirect URLs. Use for non-standard providers (e.g. Google prompt=consent, access_type=offline).
Whether to include the resource parameter in authorization requests.
The resource parameter value to include in authorization requests. Defaults to "resource" when authorization_resource_enabled is true.
The query parameter name for scopes in authorization requests. Defaults to "scope". Slack v2 uses "user_scope".
The separator character for scope values. Defaults to " " (space). Slack v2 uses ",".
Dot-separated path to the access token in the token response body. Defaults to "access_token". Slack v2 uses "authed_user.access_token".
openid: optional object { userinfo_endpoint } OpenID Connect protocol configuration
OpenID Connect protocol configuration
type: optional "external" or "keycard-vault" or "keycard-sts"
ID of the credential provider for this resource
Human-readable description
Entity metadata
Entity metadata
Documentation URL
Scopes supported by the resource
List of resource IDs that, when accessed, make this dependency available. Only present when this resource is returned as a dependency.
An authenticated user entity
An authenticated user entity
Unique identifier of the user
Entity creation timestamp
Email address of the user
Whether the email address has been verified
Organization that owns this user
Entity update timestamp
Zone this user belongs to
Date when the user was last authenticated
Issuer identifier of the identity provider
Reference to the identity provider. This field is undefined when the source identity provider is deleted but the user is not deleted.
Subject identifier from the identity provider
ZonesProviders
List providers
Create provider
Get provider
Update provider
Delete provider
ModelsExpand Collapse
Provider = object { id, created_at, identifier, 12 more } A Provider is a system that supplies access to Resources and allows actors (Users or Applications) to authenticate.
A Provider is a system that supplies access to Resources and allows actors (Users or Applications) to authenticate.
Unique identifier of the provider
Entity creation timestamp
User specified identifier, unique within the zone
Human-readable name
Organization that owns this provider
owner_type: "platform" or "customer"Who owns this provider. Platform-owned providers cannot be modified via API.
Who owns this provider. Platform-owned providers cannot be modified via API.
URL-safe identifier, unique within the zone
Entity update timestamp
Zone this provider belongs to
OAuth 2.0 client identifier
Indicates whether a client secret is configured
Human-readable description
Provider metadata
protocols: optional object { oauth2, openid } Protocol-specific configuration
Protocol-specific configuration
oauth2: optional object { issuer, authorization_endpoint, authorization_parameters, 10 more } OAuth 2.0 protocol configuration
OAuth 2.0 protocol configuration
OIDC issuer URL used for discovery and token validation.
Custom query parameters appended to authorization redirect URLs. Use for non-standard providers (e.g. Google prompt=consent, access_type=offline).
Whether to include the resource parameter in authorization requests.
The resource parameter value to include in authorization requests. Defaults to "resource" when authorization_resource_enabled is true.
The query parameter name for scopes in authorization requests. Defaults to "scope". Slack v2 uses "user_scope".
The separator character for scope values. Defaults to " " (space). Slack v2 uses ",".
Dot-separated path to the access token in the token response body. Defaults to "access_token". Slack v2 uses "authed_user.access_token".
openid: optional object { userinfo_endpoint } OpenID Connect protocol configuration
OpenID Connect protocol configuration
type: optional "external" or "keycard-vault" or "keycard-sts"
ZonesResources
List resources
Create resource
Get resource
Update resource
Delete resource
ZonesSessions
List sessions
Get session
Update session
Delete session
ModelsExpand Collapse
Session = object { session_type, user_id, id, 19 more } or object { application_id, issuer, provider_id, 14 more } An authenticated identity session. Sessions can be user sessions (representing end-user authentication) or application sessions (representing service-to-service authentication). User sessions support hierarchical relationships via parent_id, while application sessions are always standalone.
An authenticated identity session. Sessions can be user sessions (representing end-user authentication) or application sessions (representing service-to-service authentication). User sessions support hierarchical relationships via parent_id, while application sessions are always standalone.
IamUserSessionType = object { session_type, user_id, id, 19 more } User session type-specific fields
User session type-specific fields
User ID
Session ID
Whether the session is currently active (deprecated - use status instead)
An Application is a software system with an associated identity that can access Resources. It may act on its own behalf (machine-to-machine) or on behalf of a user (delegated access).
An Application is a software system with an associated identity that can access Resources. It may act on its own behalf (machine-to-machine) or on behalf of a user (delegated access).
Unique identifier of the application
Entity creation timestamp
Number of resource dependencies
User specified identifier, unique within the zone
Human-readable name
Organization that owns this application
owner_type: "platform" or "customer"Who owns this application. Platform-owned applications cannot be modified via API.
Who owns this application. Platform-owned applications cannot be modified via API.
URL-safe identifier, unique within the zone
Entity update timestamp
Zone this application belongs to
Human-readable description
Entity metadata
Entity metadata
Documentation URL
protocols: optional object { oauth2 } Protocol-specific configuration
Protocol-specific configuration
oauth2: optional object { post_logout_redirect_uris, redirect_uris } OAuth 2.0 protocol configuration
OAuth 2.0 protocol configuration
OAuth 2.0 post-logout redirect URIs for this application
OAuth 2.0 redirect URIs for this application
Application ID that initiated this session
Date when the session was authenticated
Entity creation timestamp
Date when session expires
Issuer URL from IdP
metadata: optional object { name } Session metadata
Session metadata
Name of the initiating application or user agent
Organization that owns this session
Parent session ID for hierarchical sessions (user sessions only). When null, this is a web session - a top-level session initiated directly by a user. When set, this is a child session derived from the parent, used for token refresh or delegation. Application sessions cannot have parents.
Provider ID
Session claims data (ID token claims for users, application claims for applications)
status: optional "active" or "expired" or "revoked"
Subject claim from IdP
Entity update timestamp
An authenticated user entity
An authenticated user entity
Unique identifier of the user
Entity creation timestamp
Email address of the user
Whether the email address has been verified
Organization that owns this user
Entity update timestamp
Zone this user belongs to
Date when the user was last authenticated
Issuer identifier of the identity provider
Reference to the identity provider. This field is undefined when the source identity provider is deleted but the user is not deleted.
Subject identifier from the identity provider
A User Agent represents a user agent (browser, desktop app, CLI tool) that can initiate user sessions via OAuth 2.0 Dynamic Client Registration.
A User Agent represents a user agent (browser, desktop app, CLI tool) that can initiate user sessions via OAuth 2.0 Dynamic Client Registration.
Unique identifier of the user agent
Entity creation timestamp
User agent identifier (serves as OAuth client_id). Format: ua:{sha256_hash}
Human-readable name
Organization that owns this user agent
URL-safe identifier, unique within the zone
Entity update timestamp
Zone this user agent belongs to
User agent ID (browser/client) that initiated this session
Zone this session belongs to
IamApplicationSessionType = object { application_id, issuer, provider_id, 14 more } Application session type-specific fields
Application session type-specific fields
Application ID that initiated this session
Issuer URL from IdP
Provider ID
Subject claim from IdP
Session ID
Whether the session is currently active (deprecated - use status instead)
An Application is a software system with an associated identity that can access Resources. It may act on its own behalf (machine-to-machine) or on behalf of a user (delegated access).
An Application is a software system with an associated identity that can access Resources. It may act on its own behalf (machine-to-machine) or on behalf of a user (delegated access).
Unique identifier of the application
Entity creation timestamp
Number of resource dependencies
User specified identifier, unique within the zone
Human-readable name
Organization that owns this application
owner_type: "platform" or "customer"Who owns this application. Platform-owned applications cannot be modified via API.
Who owns this application. Platform-owned applications cannot be modified via API.
URL-safe identifier, unique within the zone
Entity update timestamp
Zone this application belongs to
Human-readable description
Entity metadata
Entity metadata
Documentation URL
protocols: optional object { oauth2 } Protocol-specific configuration
Protocol-specific configuration
oauth2: optional object { post_logout_redirect_uris, redirect_uris } OAuth 2.0 protocol configuration
OAuth 2.0 protocol configuration
OAuth 2.0 post-logout redirect URIs for this application
OAuth 2.0 redirect URIs for this application
Date when the session was authenticated
Entity creation timestamp
Date when session expires
metadata: optional object { name } Session metadata
Session metadata
Name of the initiating application or user agent
Organization that owns this session
Session claims data (ID token claims for users, application claims for applications)
status: optional "active" or "expired" or "revoked"
Entity update timestamp
Zone this session belongs to
ZonesUser Agents
List user agents
Get user agent
ModelsExpand Collapse
UserAgent = object { id, created_at, identifier, 5 more } A User Agent represents a user agent (browser, desktop app, CLI tool) that can initiate user sessions via OAuth 2.0 Dynamic Client Registration.
A User Agent represents a user agent (browser, desktop app, CLI tool) that can initiate user sessions via OAuth 2.0 Dynamic Client Registration.
Unique identifier of the user agent
Entity creation timestamp
User agent identifier (serves as OAuth client_id). Format: ua:{sha256_hash}
Human-readable name
Organization that owns this user agent
URL-safe identifier, unique within the zone
Entity update timestamp
Zone this user agent belongs to
ZonesUsers
List users
Get user
ModelsExpand Collapse
User = object { id, created_at, email, 8 more } An authenticated user entity
An authenticated user entity
Unique identifier of the user
Entity creation timestamp
Email address of the user
Whether the email address has been verified
Organization that owns this user
Entity update timestamp
Zone this user belongs to
Date when the user was last authenticated
Issuer identifier of the identity provider
Reference to the identity provider. This field is undefined when the source identity provider is deleted but the user is not deleted.
Subject identifier from the identity provider
ZonesMembers
Add organization user to zone
List organization users in a zone
Get organization user in a zone
Update organization user role in a zone
Remove member from zone
ModelsExpand Collapse
ZoneMember = object { id, _links, created_at, 5 more } Represents an organization user's membership in a zone with an assigned role
Represents an organization user's membership in a zone with an assigned role
Unique identifier of the zone member
_links: object { organization_user, self } HAL-format hypermedia links for zone member resources
HAL-format hypermedia links for zone member resources
organization_user: object { href }
Link to the user resource
self: object { href }
Link to this zone member resource
Entity creation timestamp
Organization ID that owns the zone
Organization user ID of the zone member
Zone role type. zone_manager has full management access, zone_viewer has read-only access.
Zone role type. zone_manager has full management access, zone_viewer has read-only access.
Entity update timestamp
Zone ID the organization user is a member of
ZoneRole = "zone_manager" or "zone_viewer"Zone role type. zone_manager has full management access, zone_viewer has read-only access.
Zone role type. zone_manager has full management access, zone_viewer has read-only access.
ZonesSecrets
Create
List
Delete
Update
Retrieve
ModelsExpand Collapse
Secret = object { id, created_at, entity_id, 7 more }
A globally unique opaque identifier
A globally unique opaque identifier
A name for the entity to be displayed in UI
type: "token" or "password"
A globally unique opaque identifier
A description of the entity
A JSON object containing arbitrary metadata. Metadata will not be encrypted.
SecretPasswordFields = object { password, type, username }
SecretTokenFields = object { token, type }
ZonesPolicy Schemas
List policy schemas
Get a policy schema by version
Set the default policy schema for a zone
ModelsExpand Collapse
SchemaVersion = object { created_at, status, updated_at, 5 more } A versioned Cedar schema that defines the entity model, actions, and
context shape used for policy evaluation. The schema contains the valid
entity types (User, Application, Resource), their attributes, and the
allowed attribute values. See the Credentials API spec for a full
reference of entity attributes and valid values.
A versioned Cedar schema that defines the entity model, actions, and context shape used for policy evaluation. The schema contains the valid entity types (User, Application, Resource), their attributes, and the allowed attribute values. See the Credentials API spec for a full reference of entity attributes and valid values.
status: "active" or "deprecated" or "archived"Controls what can be done with this schema version:
"active" - new policy versions can be created and validated against it."deprecated" - superseded by a newer version but still accepts new policy versions."archived" - closed to new policy versions. Existing policy set versions pinned to this schema still evaluate normally.
Controls what can be done with this schema version:
"active"- new policy versions can be created and validated against it."deprecated"- superseded by a newer version but still accepts new policy versions."archived"- closed to new policy versions. Existing policy set versions pinned to this schema still evaluate normally.
Cedar schema in human-readable syntax. Populated when format=cedar.
Cedar schema as JSON object. Populated when format=json (default).
A versioned Cedar schema that defines the entity model, actions, and
context shape used for policy evaluation. The schema contains the valid
entity types (User, Application, Resource), their attributes, and the
allowed attribute values. See the Credentials API spec for a full
reference of entity attributes and valid values.
A versioned Cedar schema that defines the entity model, actions, and context shape used for policy evaluation. The schema contains the valid entity types (User, Application, Resource), their attributes, and the allowed attribute values. See the Credentials API spec for a full reference of entity attributes and valid values.
Whether this is the zone's default schema. Clients use this to pre-select which schema to write policies against. Has no effect on evaluation.
ZonesPolicies
List policies in a zone
Create a new policy
Get a policy by ID
Update a policy
Archive a policy
ModelsExpand Collapse
Policy = object { id, created_at, created_by, 9 more }
owner_type: "platform" or "customer"Who manages this policy:
"platform" — managed by the Keycard platform (system policies)."customer" — managed by the tenant (custom policies).
Who manages this policy:
"platform"— managed by the Keycard platform (system policies)."customer"— managed by the tenant (custom policies).
Human-readable version number of the latest version (e.g., 1, 2, 3)
PolicyDraft = object { cedar_json, created_at, policy_id, 3 more }
Cedar policy in JSON representation
ZonesPoliciesVersions
List versions of a policy
Create a new immutable policy version
Get a specific policy version
Archive a policy version
ModelsExpand Collapse
PolicyVersion = object { id, created_at, created_by, 9 more }
Schema version this policy was validated against when created.
Hex-encoded content hash
Cedar policy in JSON representation. Populated when format=json (default).
Cedar policy in human-readable syntax. Populated when format=cedar.
ZonesPolicy Sets
List policy sets in a zone
Create a new policy set
Get a policy set by ID
Update a policy set
Archive a policy set
ModelsExpand Collapse
Attestation = object { payload, protected, signature } JWS Flattened JSON Serialization (RFC 7515 §7.2.2) of a policy set attestation. The protected header carries the signing algorithm and key identifier; the payload is a base64url-encoded AttestationStatement canonicalized per RFC 8785 (JCS). Verify using the zone JWKS endpoint (RFC 7517). Currently signed with RS256; future zone key types (e.g. EdDSA) will be indicated by the "alg" header — no envelope changes required.
JWS Flattened JSON Serialization (RFC 7515 §7.2.2) of a policy set attestation. The protected header carries the signing algorithm and key identifier; the payload is a base64url-encoded AttestationStatement canonicalized per RFC 8785 (JCS). Verify using the zone JWKS endpoint (RFC 7517). Currently signed with RS256; future zone key types (e.g. EdDSA) will be indicated by the "alg" header — no envelope changes required.
Base64url-encoded AttestationStatement (RFC 7515 §3). Decode to inspect attestation content. The RFC 8785 canonical form of the decoded JSON is the JWS Signing Input alongside the protected header.
Base64url-encoded JWS protected header (RFC 7515 §4). Contains at minimum "alg" (signing algorithm — currently RS256, will migrate to EdDSA) and "kid" (signing key identifier resolvable via the zone JWKS endpoint).
Base64url-encoded digital signature computed over the JWS Signing Input (ASCII(protected) || '.' || payload) per RFC 7515 §5.1.
AttestationStatement = object { attested_at, attested_by, manifest, 7 more } Decoded content of an Attestation JWS payload. Describes the exact policy set version composition at attestation time. This schema defines what consumers see after base64url-decoding the Attestation.payload field.
Decoded content of an Attestation JWS payload. Describes the exact policy set version composition at attestation time. This schema defines what consumers see after base64url-decoding the Attestation.payload field.
Snapshot of the policy set manifest at attestation time. Each entry pins a policy version by ID and content SHA.
Snapshot of the policy set manifest at attestation time. Each entry pins a policy version by ID and content SHA.
SHA-256 of the policy version content, populated by the server
SHA-256 of the policy set version manifest. Verifiers MUST check this matches the policy_set_version.manifest_sha to detect attestation/version mismatches.
status: "committed" or "re_signed"Event that produced this attestation. "committed" is the initial attestation at version creation; "re_signed" is a re-attestation after key rotation (same content, new signature).
Event that produced this attestation. "committed" is the initial attestation at version creation; "re_signed" is a re-attestation after key rotation (same content, new signature).
Statement type discriminator
Statement schema version
PolicySet = object { id, created_at, created_by, 9 more }
owner_type: "platform" or "customer"Who manages this policy set:
"platform" — managed by the Keycard platform (system policies)."customer" — managed by the tenant (custom policies).
Who manages this policy set:
"platform"— managed by the Keycard platform (system policies)."customer"— managed by the tenant (custom policies).
scope_type: "zone" or "resource" or "user" or "session"The scope at which this policy set applies:
"zone" — applies to all requests in the zone."resource" — scoped to a specific resource."user" — scoped to a specific user."session" — scoped to a specific session.
The scope at which this policy set applies:
"zone"— applies to all requests in the zone."resource"— scoped to a specific resource."user"— scoped to a specific user."session"— scoped to a specific session.
Human-readable version number of the latest version (e.g., 1, 2, 3)
PolicySetDraft = object { created_at, manifest, policy_set_id, 3 more }
SHA-256 of the policy version content, populated by the server
PolicySetManifest = object { entries }
SHA-256 of the policy version content, populated by the server
PolicySetManifestEntry = object { policy_id, policy_version_id, sha }
SHA-256 of the policy version content, populated by the server
Whether this policy set is currently bound to a scope
Human-readable version number of the active version (e.g., 1, 2, 3)
Public ID of the currently active (bound) version
mode: optional "active" or "shadow"
ZonesPolicy SetsVersions
List versions of a policy set
Create a new immutable policy set version
Get a specific policy set version
Activate a policy set version
Archive a policy set version
List policy versions in a policy set version
ModelsExpand Collapse
PolicySetVersion = object { id, created_at, created_by, 9 more }
SHA-256 of the policy version content, populated by the server
Hex-encoded SHA-256 of the canonicalized manifest
Schema version pinned to this policy set version. Determines the Cedar schema used for evaluation when activated.
Whether this policy set version is currently bound with mode='active'
JWS Flattened JSON Serialization (RFC 7515 §7.2.2) of a policy set attestation. The protected header carries the signing algorithm and key identifier; the payload is a base64url-encoded AttestationStatement canonicalized per RFC 8785 (JCS). Verify using the zone JWKS endpoint (RFC 7517). Currently signed with RS256; future zone key types (e.g. EdDSA) will be indicated by the "alg" header — no envelope changes required.
JWS Flattened JSON Serialization (RFC 7515 §7.2.2) of a policy set attestation. The protected header carries the signing algorithm and key identifier; the payload is a base64url-encoded AttestationStatement canonicalized per RFC 8785 (JCS). Verify using the zone JWKS endpoint (RFC 7517). Currently signed with RS256; future zone key types (e.g. EdDSA) will be indicated by the "alg" header — no envelope changes required.
Base64url-encoded AttestationStatement (RFC 7515 §3). Decode to inspect attestation content. The RFC 8785 canonical form of the decoded JSON is the JWS Signing Input alongside the protected header.
Base64url-encoded JWS protected header (RFC 7515 §4). Contains at minimum "alg" (signing algorithm — currently RS256, will migrate to EdDSA) and "kid" (signing key identifier resolvable via the zone JWKS endpoint).
Base64url-encoded digital signature computed over the JWS Signing Input (ASCII(protected) || '.' || payload) per RFC 7515 §5.1.