Keycard

When one agent calls another to query Snowflake, either the calling agent passes down its own broad credentials or the downstream agent already has pre-existing access to the database. Nothing is scoped to the task, nothing expires with the session, and there's no way to tell which agent did what, on whose behalf, or why. Today we're launching Keycard for Multi-Agent Apps. The missing piece was delegation: the ability to scope access across users, agents, and applications, and have that hold across every hop. When a user or agent starts a task, Keycard creates a session. As agents delegate to other agents or call applications, Keycard issues scoped credentials via RFC 8693 token exchange, narrowing permissions at each handoff. Credentials live in memory, never touch disk, and expire when the session closes. The same model handles every interaction: user to agent, agent to agent, agent to application, and agent to legacy systems. Adding delegated auth takes a few lines of code with our TypeScript and Python SDKs, with out-of-the-box support for LangChain, MCP, A2A, and any API. Deploy to Vercel, Cloudflare, Fly.io, AWS, GCP, or Azure with no secrets on disk. Sessions defined auth for web apps. IAM defined it for cloud. For agents, it's delegated cross-app auth. Full write-up with code examples and architecture below 👇 #AgenticSecurity #AIAgents #MultiAgentApps #DevSecOps

Andreessen Horowitz is hosting a Security & AI Demo Day on May 21 in San Francisco. Patti Degnan and Joel de la Garza kick things off with a fireside chat, then five portfolio companies demo live: Keycard, Socket, Cotool, CYGNVS, and Doppel. Stick around for the cocktail reception after. Always a good time to connect with folks building in this space. May 21, 4:00 PM, 180 Townsend St, SF. Registration link below 👇 #AgenticSecurity #AIAgents

You're building an agent and you need to secure it. You open ten browser tabs. Every tab looks like the answer, but they're all solving different problems. Kim Maida mapped the four layers of the agent security stack, what each one actually does, and which one is the most under-built right now 👇

Founders You Should Know is hosting a startup showcase on May 20 in San Francisco, and our co-founder Ian Livingstone will be presenting about Keycard. FYSK brings together some of the fastest-growing startups in a punchy 60-minute showcase format. The event is co-hosted with Rippling and DigitalOcean. If you're a FYSK community member, come grab a drink and hear what we're building for agent identity and access. If you're not a member yet, you can apply at foundersysk.com. May 20, 5:30 PM, San Francisco. Registration link below 👇 #Startups #AIAgents #AgenticSecurity

You have a coding agent that needs API access, so you paste a static key into a .𝚎𝚗𝚟 file. You tell the agent to read from the API and relay the results. The agent reads the data, finds an inconsistency, and helpfully writes a fix you didn't ask for. The root problem isn't just the overprivileged credential. It's that nothing checks whether this action, by this agent, this time, should be allowed. An open standard called OAuth 2.0 Token Exchange (RFC 8693) has existed since 2020, and microservices teams have been using it for years. The pattern maps directly to agents: the agent exchanges its proof of authorization for an ephemeral token scoped to one resource, one set of permissions, and one task. When the task is done, the token is gone. There's no standing access between calls. For delegated agents, the token carries both identities: the user who authorized the action and the agent executing it. GitHub sees "the coding agent is pushing code on behalf of Kim." For autonomous agents, the agent authenticates as itself. Both patterns use the same underlying spec. Kim Maida wrote up how RFC 8693 works for agent authorization, including decoded JWTs, the token exchange request flow, and what the spec doesn't cover (policy, lifecycle, governance) 👇 #AgenticSecurity #OAuth #DevSecOps #AIAgents

Every team building internal AI is reinventing the credential broker. Browserbase routes secrets through a serverless integration proxy. Cloudflare wrote a Worker that injects server-side keys at the gateway. The code is different but the questions are the same: who is making this call, what are they allowed to do, and how does that survive when the call gets delegated? We're on stage 5/14 with Sentry, Browserbase, and Cloudflare at AI Council comparing notes. RSVP details in the comments 👇 #AgenticSecurity #AIAgents #IdentityManagement #DevSecOps

CB Insights just named Keycard to its 2026 AI 100, their annual list of the 100 most promising private AI companies. Agents reason through tasks, call APIs, access sensitive data, and take actions across systems autonomously. The identity and access infrastructure built for humans was never designed for actors like this. Keycard identifies agents, enforces task-scoped access at runtime, and provides a complete audit trail of every action, so organizations can adopt agents like Claude Code, Cursor, Codex, and OpenClaw without losing control. Since launching, we've shipped Keycard for Coding Agents (runtime governance with a single command: 𝚔𝚎𝚢𝚌𝚊𝚛𝚍 𝚛𝚞𝚗), acquired Runebook to bring MCP-powered agents into the enterprise, and acquired Anchor.dev to bring hardware-attested device identity into agent workflows. Thanks to the CB Insights team for the recognition, and to everyone building with us. Full announcement below 👇 #AI100 #AgenticSecurity #AIAgents #CBInsights

The Vercel breach didn't happen because OAuth failed. It happened because OAuth 2.0 did exactly what it was designed to do. A user authorized a third-party app. The app got a bearer token. Google Workspace honored it. Every step was compliant. OAuth was designed in 2012 to stop apps from storing passwords. But now, the "app" could be an AI vendor holding tokens for hundreds of organizations, with broad scopes (narrow scopes limit usefulness) and long lifetimes (vendors need persistent access). A single refresh token scoped to "allow all" mints fresh access tokens indefinitely. The attacker compromised Context, stole those tokens, and walked into a Vercel employee's Google Workspace. The structural fix is upstream: stop issuing credentials that outlive the work they were granted for. Full technical breakdown in comments 👇 #cybersecurity #OAuth #SupplyChainSecurity #AIAgents

Enterprise security infrastructure was built for a world where humans made every decision. AI agents don't work that way. They reason through tasks, call APIs, access sensitive data, and take actions across organizational boundaries, all without a human in the loop. The identity systems governing this were designed for human behavior. Agents inherit full user privileges by default, operate non-deterministically, and leave security teams with no visibility into what actions were taken, on whose behalf, or with what authority. Keycard CEO Ian Livingstone sat down with TFiR to talk through why this gap exists and what a purpose-built identity model for autonomous agents looks like: execution-time access control, agent identity as a new category (not human, not traditional workload, but a hybrid scoped dynamically per task), and why consent fatigue is a real production risk when agents prompt humans to approve every tool call. Full episode below 👇 #AgenticSecurity #AIAgents #IdentityManagement #EnterpriseSecurity

The identity and access models companies rely on were built for humans clicking buttons. Agents don't click buttons. They write code, request permissions, cross system boundaries, and spawn by the thousands, often with delegated authority no one explicitly signed off on. That gap between how security works today and how agents actually operate is what the AI Security & Safety track at AI Council is about. Our co-founder Ian Livingstone curated the track to bring together the people working on this problem from different angles: - Feross Aboukhadijeh (Socket): "The Agent Attack Surface: Why AI Is Breaking Software Security As We Know It" - Diana Kelley (Noma Security): "Agentic AI: From Risk Awareness to Practical Control" - Jared Hanson (Keycard): "Identity Is the Bottleneck: Why Agents Force a New Security Model" - Heather Ceylan (Box) + Diana Kelley + Feross Aboukhadijeh: "Enabling Highly Autonomous Trusted Agents" (Panel) May 12-14, Marriott Marquis, San Francisco. Registration link below 👇 #AICouncil #AgenticSecurity #AIAgents