Overview

Keycard gives agents, tools, and applications controlled access to the resources they need. The model is deliberately small: a zone contains actors and resources, providers connect outside identity and access systems, policies decide whether a request is allowed, and credentials are issued or brokered only after that check.

The Concepts section exists so configuration pages have stable meaning. When a setup guide says “resource”, “provider”, “policy”, or “credential”, these pages explain the object and why it matters.

1. A zone defines the trust boundary.
2. Users and applications are the actors inside that boundary.
3. Resources are the APIs, MCP servers, services, and data those actors need to access.
4. Providers connect external identity systems and upstream APIs.
5. Policies decide whether a request is allowed.
6. Credentials are issued or brokered as the result of an allowed request.

Traditional IAM assumes software follows predictable paths and humans make most of the decisions. Agents are different: they reason, call tools, exchange data, and adapt at runtime. Giving them static API keys or broad service accounts makes their access hard to scope and hard to audit.

Keycard treats agents and tools as first-class applications. They authenticate, request access, pass through policy, and receive short-lived credentials scoped to the user, task, application, and resource involved.

Zones are security domains. They group users, applications, resources, providers, and policies so access can be managed within a clear boundary.

Users are people who authenticate into a zone and may delegate access to applications or agents.

Applications are software: agents, MCP clients, MCP servers, APIs, CLIs, web apps, and services. They can act on their own behalf or on behalf of a user.

Resources are protected things applications and users access, such as APIs, MCP servers, databases, or third-party services.

Providers connect Keycard to identity providers, workload identity systems, and upstream APIs that issue or hold credentials.

Policies are the authorization rules that decide whether a request should result in access.

Credentials are the short-lived tokens, brokered upstream tokens, or vaulted credentials Keycard returns after access is allowed.

If you are configuring Keycard for the first time, start with Zones, then read Applications, Resources, and Policies. Those four concepts carry most of the configuration model.