Quick Start

Get your first secure agent-tool connection working in minutes using Keycard’s Hello MCP Server.

Prerequisites

• An AI agent IDE (Cursor recommended) or MCP-compatible client

Create Your Keycard Account

1. Navigate to Keycard Console

   Go to console.keycard.ai

2. Sign up or log in

   Note

   Keycard is currently in Early Access. You can sign up for early access here.

   Create your account or sign in with existing credentials.

3. View your default zone

   You will land at your default zone’s applications page.

Note

What is a Zone? A zone is your isolated security boundary. Each zone can have its own identity provider, applications, and resources. Your default zone is automatically created when you sign up.

Configure your Default Zone

Before you can connect to resources in your zone, you must configure your zone’s authentication. Zone access is seperate from Console access.

Tip

Keycard provides zone user authentication by default. To connect your own identity provider (Okta, Auth0, Google, etc.), see Identity Providers.

In your Keycard Console, navigate to Users. Click Invite User. Enter your email address and click Invite to zone.

Test with Hello MCP Server

The default zone includes a pre-configured Hello MCP Server resource for testing.

1. Find Hello MCP Server

   In your Keycard Console, navigate to Resources and click on Hello MCP Server

2. Install in your AI agent

   1. In the Scopes section, add the available scope and save your changes
   2. Click the Install dropdown and select your client (e.g., Cursor)
   3. Accept the browser prompt to open your AI agent client
   4. In your client’s MCP panel, click Connect
   5. Complete the OAuth flow with Keycard. If you’re using Keycard authentication:
      1. Click Sign up and create a zone user account.
      2. Verify your email by code, if you instead use the link, you will need to reconnect and sign in.
      3. Finish the OAuth flow and return to your AI agent client.

3. Test the connection

   In your AI agent, try these prompts:

   • “Show me the Keycard logo”
   • “Run the whoami tool”

   You should see successful responses from both tools!

Verify Your Setup

1. Check Audit Logs

   In Keycard Console, navigate to Audit Logs to see the authentication flow in action:

   users:authenticate	You logged in successfully
   users:authorize	Your access was authorized
   credentials:issue	Access token was issued

   Tip

   Success! You now have an AI agent securely accessing tools through Keycard with user authentication.

What Just Happened?

Here is the authentication flow that just took place:

1. Your AI agent discovered the MCP server’s OAuth configuration
2. You were redirected to Keycard to authenticate
3. You signed in with your Keycard credentials
4. Keycard issued an access token for the MCP server
5. Your AI agent used that token to call tools securely

All token management, refresh logic, and credential storage is handled by Keycard automatically.

Note

Need help? Check out our troubleshooting guide or reach out at hello@keycard.ai

Troubleshooting

MCP server does not appear in my AI agent

• Confirm you clicked the browser prompt to open your client
• Try manually adding the MCP server using the connection URL from Quick Actions
• Restart your AI agent client

Tools fail to execute

• Check Audit Logs for error messages
• Verify the access token was issued successfully
• Try disconnecting and reconnecting the MCP server

Cannot find Hello MCP Server resource

• Ensure you are looking in your default zone
• Contact support if the issue persists