Supported Standards & Protocols
Every protocol, standard, and interface supported by Keycard - available on all plans
Every protocol listed here is available on every plan. Nothing is gated by tier.
Token and authorization
Section titled “Token and authorization”OAuth 2.1 is the core authorization framework. Keycard supports Dynamic Client Registration (agents and applications register as OAuth clients at runtime), Registered Clients (pre-configured with known credentials), and Client ID Metadata (attach metadata to identities for policy evaluation).
Token Exchange (RFC 8693) swaps one token for another with different permissions, scope, or audience. This is how agents move between applications with least-privilege access - trading a broad token for one scoped to what they actually need.
Token Brokering translates tokens from external identity providers into Keycard-managed tokens. Brokered tokens let agents access resources where Keycard handles the initial authorization but stays out of the ongoing request path.
Workload identity
Section titled “Workload identity”SPIFFE (Secure Production Identity Framework for Everyone) gives workloads cryptographic identity. Keycard issues and validates SPIFFE IDs (SVIDs) so workloads can authenticate to each other without shared secrets.
WIMSE (Workload Identity in Multi System Environments) extends this across organizational and cloud boundaries - for cases where agents need to authenticate across trust domains.
Agent and tool protocols
Section titled “Agent and tool protocols”MCP (Model Context Protocol) handles agent-to-tool communication. Keycard protects MCP tool calls by issuing and validating tokens per interaction and enforcing policy on which tools an agent can reach.
A2A (Agent-to-Agent) handles agent-to-agent communication. Keycard authenticates both sides and enforces policy on what each agent can do to the other.
Developer interfaces
Section titled “Developer interfaces”| Interface | |
|---|---|
| REST API | Programmatic access to zones, applications, policy, identity providers, and telemetry. API Reference → |
| CLI | Manage configuration, deploy policy, and debug token flows from the terminal. |
| SDKs | Client libraries for OAuth, MCP, and agent integration. |
| Terraform | Manage Keycard resources as code. Provider docs → |
| Agent Built Tools | Agents can register their own tools in Keycard, subject to the same identity, policy, and telemetry controls as anything else. |
Identity provider compatibility
Section titled “Identity provider compatibility”Keycard works with any identity provider that speaks a supported standard: OAuth 2.1, OIDC, SAML, SPIFFE, or WIMSE.
| Examples | |
|---|---|
| Cloud | AWS IAM, Azure Entra ID, Google Cloud IAM |
| Enterprise | Okta, Auth0, Ping Identity, OneLogin |
| On-prem | Active Directory, LDAP |
| Custom | Anything that implements a supported standard |
The catalog has pre-built configurations for common providers. For everything else, configure using the standards above or the SDKs.
Encryption and transport
Section titled “Encryption and transport”See Security for the full encryption model and key management details.
| Standard | Use |
|---|---|
| TLS 1.3 | Transit encryption |
| ChaCha20 | Secret materials at rest |
| ECDSA P-256 | JWT signing |
| AES-256 | AWS KMS envelope encryption |
| JWT (RFC 7519) | Token format |
| JWK (RFC 7517) | Public key distribution via JWKS endpoints |