--- title: Overview | Keycard description: The Keycard model for identity, policy, credentials, and agent access. --- Keycard gives agents, tools, and applications controlled access to the resources they need. The model is deliberately small: a zone contains actors and resources, providers connect outside identity and access systems, policies decide whether a request is allowed, and credentials are issued or brokered only after that check. The Concepts section exists so configuration pages have stable meaning. When a setup guide says “resource”, “provider”, “policy”, or “credential”, these pages explain the object and why it matters. ## The Keycard Model 1. A [zone](/concepts/zones/index.md) defines the trust boundary. 2. [Users](/concepts/users/index.md) and [applications](/concepts/applications/index.md) are the actors inside that boundary. 3. [Resources](/concepts/resources/index.md) are the APIs, MCP servers, services, and data those actors need to access. 4. [Providers](/concepts/providers/index.md) connect external identity systems and upstream APIs. 5. [Policies](/concepts/policies/index.md) decide whether a request is allowed. 6. [Credentials](/concepts/credentials/index.md) are issued or brokered as the result of an allowed request. ## Why Agents Change The Model Traditional IAM assumes software follows predictable paths and humans make most of the decisions. Agents are different: they reason, call tools, exchange data, and adapt at runtime. Giving them static API keys or broad service accounts makes their access hard to scope and hard to audit. Keycard treats agents and tools as first-class applications. They authenticate, request access, pass through policy, and receive short-lived credentials scoped to the user, task, application, and resource involved. ## Concepts At A Glance ### Zones Zones are security domains. They group users, applications, resources, providers, and policies so access can be managed within a clear boundary. ### Users Users are people who authenticate into a zone and may delegate access to applications or agents. ### Applications Applications are software: agents, MCP clients, MCP servers, APIs, CLIs, web apps, and services. They can act on their own behalf or on behalf of a user. ### Resources Resources are protected things applications and users access, such as APIs, MCP servers, databases, or third-party services. ### Providers Providers connect Keycard to identity providers, workload identity systems, and upstream APIs that issue or hold credentials. ### Policies Policies are the authorization rules that decide whether a request should result in access. ### Credentials Credentials are the short-lived tokens, brokered upstream tokens, or vaulted credentials Keycard returns after access is allowed. ## Next Step If you are configuring Keycard for the first time, start with [Zones](/concepts/zones/index.md), then read [Applications](/concepts/applications/index.md), [Resources](/concepts/resources/index.md), and [Policies](/concepts/policies/index.md). Those four concepts carry most of the configuration model.