Zone Authentication

Keycard provides zone user authentication by default. If you want to use your own identity provider (Okta, Auth0, Google, etc.) for zone-level user authentication, see Identity Providers.

Note

This page covers zone-level authentication for authenticating users of your applications and MCP servers. For organization-level SSO (authenticating your team into Keycard Console), see Single Sign-On.

Configuring and using Zone Authentication

1. Configure Zone Authentication

   1. In Keycard Console, navigate to Zone Settings (click your zone name in the sidebar)
   2. Under Zone sign in configuration disable Use an external Identity Provider, by default it is disabled.
   3. Determine whether to require invitations or not. If you disable Require invitation to sign in to this zone, ANYONE with a URL to the zone will be able to sign up without an invitation and access zone applications and MCP servers.
   4. Click Save Changes

2. Invite Users

   This step is optional if you disabled Require invitation to sign in to this zone in the previous step.

   1. In Keycard Console, in the sidebar under Activity, click Users
   2. Click Invite User
   3. Enter email addresses of anyone you’d like to be able to use the zone.
   4. Click Invite to zone

   It is not necessary for the user to open their invitation email, when invitations are required, inviting them adds their email address to an allowlist of who can sign up for a zone.

3. Use a Zone Protected Application or MCP Server / Create a Zone User Account

   For ease of use, zone user sign up is done in-band; when a user attempts to connect to a zone provided application or MCP server, they will be prompted to login or sign up. After sign up or login if a user has not yet verified their email, they will be prompted to do so.

Troubleshooting

Account creation fails

• If invitations are required, verify the email the user is trying to sign up with matches with a pending, non-expired invitation under Users -> Invitations in Keycard Console.
• Ensure they do not have an account, look for their email in Users in Keycard Console, if they have an account, instruct them to click Forgot Password? from the sign in page to reset their password.

Login fails

• Ensure they have an account, look for their email in Users in Keycard Console, if they do not have an account, invite them if needed and have them sign up. If they have an account, instruct them to click Forgot Password? from the sign in page to reset their password.

I verified my email, but I still am not authenticated?

• If you clicked the email verification link rather than entering the code to continue the flow, you will need to reconnect to your application or MCP server and login to the zone to proceed.