Commands

CLI

Authenticate, manage credentials, configure the CLI, and run commands with Keycard.

The keycard CLI handles authentication, credential management, resource authorization, and secure agent sessions.

Authentication

Sign in to your Keycard account. This opens a browser for the OIDC sign-in flow and stores tokens securely in your system keyring.

keycard auth signin --zone <zone-id>

Check your current identity:

keycard auth whoami --zone <zone-id>

Sign out and remove stored tokens:

keycard auth signout --zone <zone-id>

Resource Authorization

Authorize access to one or more resources. If you don’t have an active session, this command initiates sign-in automatically.

keycard auth resource <url> [url...] --zone <zone-id>

Use this when a tool reports that resource access requires authorization.

Running Commands

Run a command inside a Keycard secure session. The session provisions just-in-time credentials and enforces policy on tool use.

keycard run --zone <zone-id> -- <command>

Specify a custom environment template with the -t flag:

keycard run --zone <zone-id> -t .env.template -- <command>

Inside a secure session, the environment variables KEYCARD_RUN=1 and KEYCARD_RUN_SESSION_ID are set automatically.

Credentials

Exchange a refresh token for an access token scoped to a resource URL:

keycard credential read <url> --zone <zone-id>

Configuration

Config file

The CLI loads configuration from a keycard.toml file in the current directory by default. Override the path with --config or the CLI_CONFIG environment variable.

[zone]
id = "your-zone-id"

[run]
template_file = ".env.template"

Commands

Command	Description
`keycard run`	Run a command in a Keycard secure session
`keycard auth signin`	Authenticate with your account
`keycard auth signout`	Remove local authentication tokens
`keycard auth whoami`	Identify the current account
`keycard auth resource`	Authorize access to resources
`keycard credential read`	Read a credential for a URL
`keycard version`	Show version info