Skip to content
API Reference
Domain Model
Providers

Providers

Overview of providers within the Keycard platform.

Providers issue authentication credentials to users and applications, and issue access credentials that permit users and agents to access resources.

Every Keycard zone has a built-in provider which can authenticate users and applications using locally-issued credentials, such as passwords and client secrets. The same provider can also issue access tokens that authorize access to resources. In this default configuration, every zone is a self-contained trust domain that authenticates users and agents and authorizes access to resources within the zone.

External providers can be added to a zone, enabling trust relationships with other domains - also referred to as federation.

Identity Federation

Section titled “Identity Federation”

User Identity

Section titled “User Identity”

External identity providers (IdPs) can be added to a zone, creating a trust relationship between the zone and the IdP. This enables single sign-on (SSO), allowing users to sign in to the zone with one set of credentials.

Keycard zones support standard protocols, including OpenID Connect and SAML. These protocols are broadly supported by both enterprise IdPs, including Microsoft Entra and Okta, and social login providers, including Google and Apple.

Workload Identity

Section titled “Workload Identity”

Cloud service providers (CSPs) can be added to a zone, creating a trust relationship between the zone and the CSP. This enables applications and workloads running on the provider to authenticate to the zone using provider-issued tokens, eliminating the need for static secrets.

Keycard zones support popular infrastructure providers, including Amazon Web Services, Microsoft Azure, and Google Cloud. Platforms such as Vercel and GitHub Actions are also supported.

Access Federation

Section titled “Access Federation”

External authorization servers which issue access credentials for resources hosted by third parties can be added to a zone. This allows the zone to broker access to resources located in other trust domains.

Keycard zones support brokering via a variety of different mechanisms, including OAuth 2.0 grants that enable cross app access and programmatic access interfaces that are bespoke to specific resource types or providers.