How Transactions Work
Understanding Keycard's billing model
A transaction is recorded each time Keycard is involved in a tool call - issuing a credential, validating a request, or handling a step-up approval. Every plan includes a monthly allocation of transactions. See Pricing for plan details.
When Keycard is involved
Section titled “When Keycard is involved”How often Keycard participates in the request path depends on how your resources are connected.
Protected resources
Section titled “Protected resources”Keycard is involved in both issuing and validating the agent’s credential, providing per-request policy enforcement and real-time telemetry. Each tool call generates a transaction.
This applies to resources protected via the SDK, the gateway, or the CLI.
Brokered resources
Section titled “Brokered resources”Keycard issues a credential that the agent uses to directly access a downstream application. Once the credential is issued, Keycard is no longer involved in the request path. Only the initial issuance generates a transaction - subsequent calls go straight to the service.
This is the pattern for third-party services like GitHub, Slack, and Google Workspace, connected via access credential providers.
Step-up authentication
Section titled “Step-up authentication”When policy requires human approval for a sensitive action, that approval generates a transaction. Routine actions proceed without interruption.
Estimating usage
Section titled “Estimating usage”| Pattern | Transactions |
|---|---|
| Agent calls tools on a protected resource | 1 per tool call |
| Agent accesses a brokered resource | 1 at issuance, then none |
| Agent exchanges a credential for a different resource | 1 per exchange |
| Sensitive action triggers human approval | 1 per approval |