---
title: Access Provider APIs | Keycard
description: Use Keycard SDKs to get scoped credentials for external APIs. No static secrets, no manual rotation.
---

Keycard issues short-lived, scoped credentials that external providers accept via Workload Identity Federation (WIF). Your application authenticates to Keycard, requests a token for a specific provider, and uses that token directly with the provider’s API. No API keys stored anywhere.

Your AppUses credential with provider

Keycard-minted access token

Provider APIShort-lived token, no secrets stored

Keycard ZoneIssues scoped credential

Provider WIFValidates JWT, returns access token

## How it works

1. **Register the external API as a resource** in your Keycard zone and select your zone provider as the credentials issuer
2. **Configure the external provider** to trust your zone’s OIDC issuer — each provider guide walks through this
3. **Your application authenticates** to Keycard and requests a token scoped to the external resource
4. **Keycard issues a short-lived OIDC JWT** signed by your zone, which the provider validates and exchanges for an access token

For the conceptual model behind access federation and brokered credentials, see [Providers](/concepts/providers/#access-federation/index.md).

## Provider guides

[Anthropic ](/guides/access-provider-apis/anthropic/index.md)Dynamic credentials for Claude and other Anthropic models via Workload Identity Federation