Resources

Resources allow users and applications to access and operate on protected data. Resources typically take the form of web APIs, MCP servers, and databases. More generally, they are services which make access available via a network protocol, such as HTTP, FTP, or SSH. In some cases, resources may expose physical infrastructure such as printers.

Resources represent anything that requires authentication and authorization in order to access.

Keycard zones authenticate users and agents, authorize their access, and issue access credentials that reflect the authentication and authorization that was performed. Resources validate these credentials, thereby enforcing end-to-end access control. Tokens are encoded in standard formats, including JSON Web Token (JWT) and CBOR Web Token (CWT).

Every resource is associated with a credential provider that determines what kind of credential Keycard produces when access is granted. The credential provider is configured when a resource is registered with a zone.

When the zone’s built-in provider is used, Keycard STS signs a JWT for the resource. The JWT contains claims identifying the user (or application), the resource audience, granted scopes, and expiration. These can be validated using the zone’s public keys, available at the zone’s JWKS endpoint.

This is the default for resources hosted within the zone’s trust domain, including MCP servers and APIs that integrate with Keycard directly.

When a Keycard Vault provider is used, Keycard retrieves a stored credential from the vault and returns it to the requesting application.

This is the path for legacy systems that do not support dynamic, token-based authentication: databases with static passwords, older APIs that expect long-lived API keys, and services that require basic auth. Keycard stores these credentials encrypted, brokers them on demand, and audits every retrieval, bringing the same access control and observability to resources that cannot participate in OAuth flows.

When an external access credential provider is used, Keycard brokers credentials from a third-party authorization server. The external provider issues tokens for resources it controls (e.g., GitHub, Google, Slack), and Keycard stores and manages those tokens on behalf of users.

Brokered credentials are established during interactive flows such as the authorization code flow, where the user consents to the application accessing external resources. Subsequent requests use the stored credentials without requiring user interaction.

See Brokered Credentials for how these credentials are managed and refreshed.