--- title: Supported Standards & Protocols | Keycard description: Every protocol, standard, and interface supported by Keycard - available on all plans --- Every protocol listed here is available on every plan. Nothing is gated by tier. ## Token and authorization **OAuth 2.1** is the core authorization framework. Keycard supports [Dynamic Client Registration](/sdk/oauth/index.md) (agents and applications register as OAuth clients at runtime), Registered Clients (pre-configured with known credentials), and Client ID Metadata (attach metadata to identities for policy evaluation). **Token Exchange** (RFC 8693) swaps one token for another with different permissions, scope, or audience. This is how agents move between applications with [least-privilege access](/concepts/credentials/#delegation-chaining/index.md) - trading a broad token for one scoped to what they actually need. **Token Brokering** translates tokens from external identity providers into Keycard-managed tokens. Brokered tokens let agents access resources where Keycard handles the initial authorization but stays out of the ongoing request path. ## Workload identity **SPIFFE** (Secure Production Identity Framework for Everyone) gives workloads cryptographic identity. Keycard issues and validates SPIFFE IDs (SVIDs) so workloads can authenticate to each other without shared secrets. **WIMSE** (Workload Identity in Multi System Environments) extends this across organizational and cloud boundaries - for cases where agents need to authenticate across trust domains. ## Agent and tool protocols **MCP** (Model Context Protocol) handles agent-to-tool communication. Keycard protects [MCP tool calls](/sdk/mcp/index.md) by issuing and validating tokens per interaction and enforcing policy on which tools an agent can reach. **A2A** (Agent-to-Agent) handles agent-to-agent communication. Keycard authenticates both sides and enforces policy on what each agent can do to the other. ## Developer interfaces | Interface | | | ----------------- | -------------------------------------------------------------------------------------------------------------------------------------------- | | REST API | Programmatic access to zones, applications, policy, identity providers, and telemetry. [API Reference](/api/index.md) | | CLI | Manage configuration, deploy policy, and debug token flows from the terminal. | | SDKs | Client libraries for [OAuth](/sdk/oauth/index.md), [MCP](/sdk/mcp/index.md), and [agent-to-agent](/sdk/agent-to-agent/index.md) integration. | | Terraform | Manage Keycard resources as code. [Provider docs](https://registry.terraform.io/providers/keycardai/keycard/latest/docs) | | Agent Built Tools | Agents can register their own tools in Keycard, subject to the same identity, policy, and telemetry controls as anything else. | ## Identity provider compatibility Keycard works with any identity provider that speaks a supported standard: OAuth 2.1, OIDC, SAML, SPIFFE, or WIMSE. | | Examples | | ---------- | --------------------------------------------- | | Cloud | AWS IAM, Azure Entra ID, Google Cloud IAM | | Enterprise | Okta, Auth0, Ping Identity, OneLogin | | On-prem | Active Directory, LDAP | | Custom | Anything that implements a supported standard | The [catalog](/admin/resource-catalog/index.md) has pre-built configurations for common providers. For everything else, configure using the standards above or the [SDKs](/sdk/index.md). ## Encryption and transport See [Security Architecture](/reference/security-architecture/index.md) for the full encryption model and key management details. | Standard | Use | | -------------- | ------------------------------------------ | | TLS 1.3 | Transit encryption | | ChaCha20 | Secret materials at rest | | ECDSA P-256 | JWT signing | | AES-256 | AWS KMS envelope encryption | | JWT (RFC 7519) | Token format | | JWK (RFC 7517) | Public key distribution via JWKS endpoints |