Identity Providers

Keycard provides zone user authentication by default. If you want to use your own identity provider (Okta, Auth0, Google, etc.) for zone-level user authentication, follow the steps below.

Note

This page covers zone-level identity providers for authenticating users of your applications and MCP servers. For organization-level SSO (authenticating your team into Keycard Console), see Single Sign-On.

Connect an Identity Provider

1. Get your OAuth Redirect URL

   • In Keycard Console, navigate to Zone Settings (click your zone name in the sidebar)
   • Copy the OAuth 2 Redirect URL (format: https://<zone-id>.keycard.cloud/oauth/2/redirect)
   • Keep this URL handy for the next step

2. Configure your identity provider

   Okta

   In Okta:

   1. Navigate to Applications → Create App Integration
   2. Select OIDC - OpenID Connect and Web Application
   3. Add the OAuth Redirect URL to Sign-in redirect URIs
   4. Enable grant types: Authorization Code, Refresh Token
   5. Assign users to the application
   6. Note your Issuer URL, Client ID, and Client Secret

   In Keycard Console:

   1. Click Providers in the sidebar and then ‘Add Provider’
   2. Enter Issuer URL: https://your-domain.okta.com
   3. Enter Client ID and Client Secret
   4. Click Connect
   Auth0

   In Auth0:

   1. Navigate to Applications → Create Application
   2. Select Regular Web Application
   3. Add the OAuth Redirect URL to Allowed Callback URLs
   4. Note your Domain, Client ID, and Client Secret

   In Keycard Console:

   1. Click Providers in the sidebar and then ‘Add Provider’
   2. Enter Issuer URL: https://your-tenant.auth0.com/ (include trailing /)
   3. Enter Client ID and Client Secret
   4. Click Connect
   Google

   In Google Cloud Console:

   1. Navigate to APIs & Services → Credentials
   2. Create OAuth 2.0 Client ID (Web application)
   3. Add the OAuth Redirect URL to Authorized redirect URIs
   4. Note your Client ID and Client Secret

   In Keycard Console:

   1. Click Providers in the sidebar and then ‘Add Provider’
   2. Enter Issuer URL: https://accounts.google.com
   3. Enter Client ID and Client Secret
   4. Click Connect
   Other Provider

   For any OAuth 2.0 / OIDC provider:

   1. Create a web application in your provider
   2. Add the OAuth Redirect URL to allowed redirect URIs
   3. Enable Authorization Code and Refresh Token grant types
   4. Note your provider’s issuer URL, client ID, and client secret

   In Keycard Console:

   1. Click Providers in the sidebar and then ‘Add Provider’
   2. Enter your provider’s Issuer URL
   3. Enter Client ID and Client Secret
   4. Click Connect

3. Select the identity provider for the zone

   In Keycard Console:

   1. Click Zone Settings in the sidebar
   2. Select the Identity Provider dropdown
   3. Select the Provider you just configured
   4. Save your changes

Troubleshooting

OAuth flow fails or redirects to error page

• Verify the OAuth Redirect URL is correctly added to your identity provider
• Ensure your identity provider’s issuer URL is correct (include/exclude trailing / as required)
• Check that users are assigned to the application in your identity provider