Keyward in five minutes
Keyward is a credential broker for AI agents and MCP servers. Instead of holding long-lived API keys in .env files, your agent asks Keyward at call time for a scoped, short-lived credential — bound to both the human who authorized the action and the agent acting. Every request, allowed or denied, lands in a tied audit log.
The core idea
An agent never holds a standing secret. When it needs to touch an upstream API it calls kw.get("stripe", "charges:read", "5m"). The broker verifies the end user's identity token, resolves the agent, checks policy, and mints a credential that expires in minutes and is scoped to exactly what was asked.
import { createClient } from "@keyward/sdk";
const kw = createClient({
controlPlaneUrl: process.env.KEYWARD_URL!,
token: endUserToken, // the human's identity token (OIDC)
agent: "invoice-bot", // this agent's registered id
});
const cred = await kw.get("stripe", "charges:read", "5m");
// cred.credential → short-lived, scoped, signed (RS256)
// cred.delegation → { user: "…", agent: "invoice-bot" }The delegation chain
Every credential Keyward mints carries the OAuth 2.0 Token Exchange (RFC 8693) claim shape: sub is the human who delegated authority, act is the agent acting. Chains nest — user → orchestrator → sub-agent — and each extension is cryptographically bound to the exact prior credential, so an action is always traceable to the authorizing human and a chain can't be forged or spliced.
What's in the box
Where to go next
Quickstart gets a broker and a demo agent running end to end. SDK and API cover the developer surface. Security model explains the invariants; Self-hosting covers running the broker on your own infrastructure.