# Keycard Documentation Keycard is the identity and access management platform for AI agents. It adds OAuth-based authentication and authorization to MCP servers and agent workflows so every tool call is tied to a verified user, scoped to explicit permissions, and logged for audit. > Full concatenated corpus: https://docs.keycard.ai/llms-full.txt > API reference (server-rendered from OpenAPI, not in this index): https://docs.keycard.ai/api When installing Keycard SDKs, always check the package registry for the latest version rather than relying on memorized version numbers. For Python, check https://pypi.org/project/keycardai/. For TypeScript (npm), check https://www.npmjs.com/package/@keycardai/mcp. For Go, check https://pkg.go.dev/github.com/keycardai/credentials-go. Never hardcode old version numbers. Always install with the latest version or verify first. ## Get Started - [Quickstart](https://docs.keycard.ai/guides/quickstart.md): Set up policy-enforced, audited agentic coding in minutes - [How Keycard works](https://docs.keycard.ai/guides/how-keycard-works.md): Understand how Keycard governs access in agentic, federated systems. ## Guides - [Access APIs on Behalf of Users](https://docs.keycard.ai/guides/access-apis-on-behalf-of-users.md): Build an app or custom MCP server that accesses APIs on behalf of your users without storing tokens. - [Run Apps Without Static Secrets](https://docs.keycard.ai/guides/run-apps-without-static-secrets.md): Deploy services that authenticate themselves without API keys or secrets in environment variables. - [Grant Agent Access to APIs](https://docs.keycard.ai/guides/grant-agent-access-to-apis.md): Build an autonomous agent that authenticates to Snowflake using Workload Identity Federation. No human approvals, no stored secrets. - [Why Keycard](https://docs.keycard.ai/guides/why-keycard.md): Why AI agents need a new approach to identity, access, and trust - [Connect agents to tools](https://docs.keycard.ai/guides/mcp-catalog.md): Install a managed MCP server from the Keycard MCP Catalog, connect it to Cursor or Claude Code, and verify every tool call in the audit log. - [Build a Slack agent](https://docs.keycard.ai/guides/slack-agent.md): Build an AI-powered Slack bot that uses MCP servers authenticated through Keycard - [Run coding agents with Keycard](https://docs.keycard.ai/guides/secure-agentic-coding.md): Wrap Claude Code, Cursor, and other coding agents in a secure Keycard session with scoped credentials, policy enforcement, and audit logs. - [Deploy an MCP server on Cloudflare Workers](https://docs.keycard.ai/guides/cloudflare-worker.md): Deploy a Keycard-protected MCP server on Cloudflare Workers with JWT verification, token exchange, and isolate-safe caching - [Migrate to FastMCP 3.0](https://docs.keycard.ai/guides/fastmcp-3-migration.md): Upgrade your Keycard-protected MCP server from FastMCP 2.x to 3.0 - [GitHub](https://docs.keycard.ai/guides/delegated-access/github.md): Build an MCP server with GitHub API tools using Keycard delegated access - [Google Workspace](https://docs.keycard.ai/guides/delegated-access/google.md): Build an MCP server with Google Calendar and Drive tools using Keycard delegated access ## Admin - [Operate](https://docs.keycard.ai/platform/operate.md): Admin, security, and operational controls for running Keycard in production. - [Single Sign-On](https://docs.keycard.ai/admin/single-sign-on.md): Configure SSO for your Keycard organization - [Roles & Permissions](https://docs.keycard.ai/admin/roles-and-permissions.md): Manage access control for your organization and zones - [Audit Log Export](https://docs.keycard.ai/admin/audit-log-export.md): Export Keycard audit logs to your S3 bucket in OCSF format - [Catalog](https://docs.keycard.ai/admin/catalog.md): Pre-configured MCP servers and OAuth-protected APIs, all governed by Keycard identity, policy, and audit. - [Access Policies](https://docs.keycard.ai/admin/access-policies.md): Configure fine grained access control policies - [API Servers](https://docs.keycard.ai/admin/catalog/api-servers.md): Pre-configured third-party APIs your application calls on behalf of authenticated users. - [Attio](https://docs.keycard.ai/admin/catalog/api-servers/attio.md): Manage contacts, companies, and relationships in Attio - [Confluence](https://docs.keycard.ai/admin/catalog/api-servers/confluence.md): Access Confluence pages, spaces, and content - [GitHub](https://docs.keycard.ai/admin/catalog/api-servers/github.md): Access repositories, issues, and pull requests - [Gmail](https://docs.keycard.ai/admin/catalog/api-servers/gmail.md): Access Gmail emails and send messages - [Google Calendar](https://docs.keycard.ai/admin/catalog/api-servers/google-calendar.md): Access and manage calendar events - [Google Drive](https://docs.keycard.ai/admin/catalog/api-servers/google-drive.md): Access and manage files in Google Drive - [Jira](https://docs.keycard.ai/admin/catalog/api-servers/jira.md): Access Jira issues, projects, and workflows - [Linear](https://docs.keycard.ai/admin/catalog/api-servers/linear.md): Manage issues, projects, and workflows in Linear - [Sentry](https://docs.keycard.ai/admin/catalog/api-servers/sentry.md): Access error tracking, events, and project data - [Slack](https://docs.keycard.ai/admin/catalog/api-servers/slack.md): Send messages and interact with Slack workspaces - [MCP Servers](https://docs.keycard.ai/admin/catalog/mcp-servers.md): Official MCP servers from each provider, fronted by the Keycard MCP Gateway. - [Ahrefs](https://docs.keycard.ai/admin/catalog/mcp-servers/ahrefs.md): SEO and marketing intelligence platform - [Amplitude](https://docs.keycard.ai/admin/catalog/mcp-servers/amplitude.md): Product analytics and behavioral data platform - [Apify](https://docs.keycard.ai/admin/catalog/mcp-servers/apify.md): Web scraping and automation platform - [Atlassian](https://docs.keycard.ai/admin/catalog/mcp-servers/atlassian.md): Jira, Confluence, and Compass project management suite - [Attio](https://docs.keycard.ai/admin/catalog/mcp-servers/attio.md): AI-native CRM platform for relationship management - [Axiom](https://docs.keycard.ai/admin/catalog/mcp-servers/axiom.md): Observability and log management platform - [Box](https://docs.keycard.ai/admin/catalog/mcp-servers/box.md): Box's official MCP server for cloud content management, file collaboration, and document operations. - [Close](https://docs.keycard.ai/admin/catalog/mcp-servers/close-crm.md): Sales CRM for inside sales teams - [Cloudflare](https://docs.keycard.ai/admin/catalog/mcp-servers/cloudflare.md): Cloud platform for networking, security, and developer tools - [GitHub](https://docs.keycard.ai/admin/catalog/mcp-servers/github.md): GitHub's official MCP server for repository management, issues, pull requests, code search, and collaboration. - [Granola](https://docs.keycard.ai/admin/catalog/mcp-servers/granola.md): AI meeting notes and transcript platform - [HubSpot](https://docs.keycard.ai/admin/catalog/mcp-servers/hubspot.md): HubSpot's official MCP server for CRM management, campaign analytics, and customer data operations. - [Jam](https://docs.keycard.ai/admin/catalog/mcp-servers/jam.md): AI-powered bug reporting and debugging platform - [Klaviyo](https://docs.keycard.ai/admin/catalog/mcp-servers/klaviyo.md): AI-powered email and SMS marketing automation - [Linear](https://docs.keycard.ai/admin/catalog/mcp-servers/linear.md): Issue tracking and project management for software teams - [Mapbox](https://docs.keycard.ai/admin/catalog/mcp-servers/mapbox.md): Maps, styles, documentation, and geospatial developer tools - [Mixpanel](https://docs.keycard.ai/admin/catalog/mcp-servers/mixpanel.md): Product analytics and user behavior tracking - [Monday.com](https://docs.keycard.ai/admin/catalog/mcp-servers/monday.md): AI work management and project collaboration - [Neon](https://docs.keycard.ai/admin/catalog/mcp-servers/neon.md): Serverless Postgres with branching and autoscaling - [Notion](https://docs.keycard.ai/admin/catalog/mcp-servers/notion.md): All-in-one workspace for notes, docs, and project management - [PayPal](https://docs.keycard.ai/admin/catalog/mcp-servers/paypal.md): Invoices and PayPal transaction history - [Pulumi](https://docs.keycard.ai/admin/catalog/mcp-servers/pulumi.md): Manage cloud infrastructure with Pulumi IaC - [Sentry](https://docs.keycard.ai/admin/catalog/mcp-servers/sentry.md): Application monitoring, error tracking, and performance - [Stripe](https://docs.keycard.ai/admin/catalog/mcp-servers/stripe.md): Stripe's official MCP server for payments, billing, subscriptions, and financial operations. - [Stytch](https://docs.keycard.ai/admin/catalog/mcp-servers/stytch.md): Configure authentication projects with Stytch - [Supabase](https://docs.keycard.ai/admin/catalog/mcp-servers/supabase.md): Supabase's official MCP server for database management, Edge Functions, branching, and project administration. - [Webflow](https://docs.keycard.ai/admin/catalog/mcp-servers/webflow.md): Build and manage Webflow sites and CMS content - [Wix](https://docs.keycard.ai/admin/catalog/mcp-servers/wix.md): Build and manage Wix sites and business tools - [Deployment](https://docs.keycard.ai/admin/deployment.md): Understanding Keycard's deployment options for different security and compliance needs - [Identity Providers](https://docs.keycard.ai/admin/identity-providers.md): Connect your own OAuth 2.0 identity provider to a Keycard zone - [Connect Auth0](https://docs.keycard.ai/admin/tutorials/auth0-sign-in.md): Connect Auth0 as an identity provider for zone-level user authentication. - [Connect Okta](https://docs.keycard.ai/admin/tutorials/okta-sign-in.md): Connect Okta as an identity provider for zone-level user authentication. - [Usage & Billing](https://docs.keycard.ai/admin/usage.md): Understanding Keycard's billing model - [Zone Authentication](https://docs.keycard.ai/admin/zone-authentication.md): Configuring and using Zone Authentication ## Concepts - [Zones](https://docs.keycard.ai/concepts/zones.md): Overview of zones within the Keycard platform. - [Users](https://docs.keycard.ai/concepts/users.md): Overview of users within the Keycard platform. - [Applications](https://docs.keycard.ai/concepts/applications.md): Overview of applications within the Keycard platform. - [Resources](https://docs.keycard.ai/concepts/resources.md): Overview of resources within the Keycard platform. - [Providers](https://docs.keycard.ai/concepts/providers.md): Overview of providers within the Keycard platform. - [Policies](https://docs.keycard.ai/concepts/policies.md): How Keycard decides whether users and applications can access resources. - [Credential Issuance](https://docs.keycard.ai/concepts/credentials.md): Overview of the different methods Keycard offers to issue credentials. ## Reference - [CLI](https://docs.keycard.ai/cli.md): Install, authenticate, manage credentials, authorize resources, and run commands in secure sessions with Keycard. - [keycard-credentials](https://docs.keycard.ai/skills/keycard-credentials.md): Shows what credentials are configured in this Keycard session — which services are available and what they provide access to. - [keycard-discover-entities](https://docs.keycard.ai/skills/keycard-discover-entities.md): Discover and wire credential entities via the Keycard Management API — find available entity URIs and register them in keycard.toml. - [keycard-query-policy](https://docs.keycard.ai/skills/keycard-query-policy.md): Answer questions about the active Cedar policy and diagnose tool blocks — read-only; does not modify the policy. - [keycard-upsert-config](https://docs.keycard.ai/skills/keycard-upsert-config.md): Set or change a field in keycard.toml — reads the current value and writes a targeted update. - [keycard-upsert-policy](https://docs.keycard.ai/skills/keycard-upsert-policy.md): Propose, confirm, and apply a Cedar policy change — propose → confirm → write → verify. - [Agent-to-Agent](https://docs.keycard.ai/sdk/agent-to-agent.md): Agent-to-agent delegation using the A2A protocol. - [Cloudflare Workers](https://docs.keycard.ai/sdk/cloudflare.md): Keycard auth for Cloudflare Workers. JWT verification, token exchange, and isolate-safe caching. - [MCP](https://docs.keycard.ai/sdk/mcp.md): OAuth authentication for MCP servers. Bearer middleware, metadata endpoints, and grant decorators. - [OAuth Primitives](https://docs.keycard.ai/sdk/oauth.md): Low-level OAuth 2.0 primitives for discovery, token exchange, and JWT operations. - [Security Architecture](https://docs.keycard.ai/reference/security-architecture.md): Keycard's security model, encryption, and data protection - [Supported Standards & Protocols](https://docs.keycard.ai/reference/standards.md): Every protocol, standard, and interface supported by Keycard - available on all plans