The token layer for
zero-trust systems.
KeyTrace issues short-lived tokens, rotates them automatically, and revokes any session everywhere in under a second. One identity authority for every service you run — OIDC-native, PKCE by default.
No credit card. Invite-only while we're in closed beta.
Standards-native. Nothing proprietary sits in your token path.
Auth used to be a table. Distributed systems broke it.
One database, one sessions row, one cookie. That model quietly broke the moment a single request started fanning out across a dozen services — each needing to answer is this caller who they say they are, and are they still allowed? without a round-trip on every hop.
The bearer token is the right primitive, but it created two problems most teams never fully solve: tokens don't die well, and revocation is a lie. A stolen token stays valid until it expires — so teams set long expiries — and a stateless token you don't check against a database is a token you can't un-issue. KeyTrace is the fast, global authority that closes both gaps.
Long-lived keys
Expiries in hours or days turn a leaked token into a skeleton key.
Revocation theater
You "rotated the key," but which services stopped honoring the old one?
Six validators, one bug
Every service reimplements JWT verification. The sixth one is wrong.
Everything after the login box.
Most auth products stop at sign-in. KeyTrace owns the token's whole life — issue, validate, rotate, revoke — with the latency and revocation guarantees the hot path demands.
Kill a session everywhere in under a second
Revoke a token, a user, or an entire realm. Every edge validator honors it within one propagation cycle — under 800 ms p99 — with a signed record that it happened.
Tokens that expire before they leak
5-minute TTLs with transparent refresh rotation. Long-lived keys become a choice you make on purpose.
TTL 300sSub-millisecond verification
Stateless JWT verification against published JWKS runs at the edge. The revocation check adds under a millisecond.
OIDC and OAuth 2.1, done right
Certified flows, PKCE enforced by default, JWKS rotation, RFC 7009 revocation, RFC 8693 token exchange.
Every environment is a sealed realm
Each realm has its own signing keys, policies, and audit stream. Blast radius stops at the realm boundary.
A tamper-evident record of every credential
Every issuance, rotation, and revocation lands in an append-only, signed audit stream. Answer "which tokens were live at 03:14 UTC" without spelunking service logs.
The life of a token, in four moves.
Issue
Your service calls the token endpoint with its client_id / client_secret (PKCE for public clients). KeyTrace mints a 5-minute RS256 access token scoped to a realm.
Validate
Any service verifies the token locally against KeyTrace's JWKS — no round-trip — then a sub-millisecond revocation check confirms it's still live.
Rotate
Refresh tokens rotate on every use. Keys roll on schedule via kid; old tokens verify until they expire, new ones sign immediately.
Revoke
One call to /revoke invalidates a token, a subject, or a whole realm. Every edge honors it in under 800 ms — provably.
A token endpoint you can reason about.
$ curl -X POST https://auth.keytrace.net/v2/realm/k9x1p3/token/ \ -H "Content-Type: application/json" \ -d '{ "grant_type": "client_credentials", "client_id": "$KEYTRACE_CLIENT_ID", "client_secret": "$KEYTRACE_CLIENT_SECRET", "scope": "token:issue" }'
{ "access_token": "eyJhbGciOiJSUzI1NiI…", "token_type": "Bearer", "expires_in": 300, "realm": "k9x1p3" }
$KEYTRACE_CLIENT_ID is issued when your realm is provisioned — during closed beta, on approval. Request access →
Unauthenticated? You get a clean JSON envelope — not an HTML error page:
{ "error": "UNAUTHENTICATED", "code": 401, "realm": null, "hint": "A valid client_id and client_secret are required. See https://www.keytrace.net/docs", "request_id": "req_0000000000000", "ts": "2026-03-26T19:35:51.004Z" }
request_id for support correlation. Full envelope in the docs.
Teams that stopped building this themselves.
"We deleted three homegrown JWT middlewares the week we moved to KeyTrace. Revocation that actually works was the thing we couldn't build ourselves."
"Five-minute tokens sounded painful until rotation made it invisible. Our leaked-credential blast radius went from 'a week' to 'five minutes.'"
"The docs are the pitch. Correct OAuth 2.1 and PKCE defaults meant our audit conversation got a lot shorter."
Start on Developer. Grow into a realm per team.
Pricing is finalized as teams leave closed beta. Beta access is free while it lasts.
Developer
For prototypes and side projects.
Request access- ✓ 1 realm
- ✓ Up to 10K token issuances / mo
- ✓ 5-minute default TTL
- ✓ JWKS + revocation API
- ✓ Community support
Team
For production teams.
Request access- ✓ 10 realms
- ✓ 5M issuances / mo
- ✓ Sub-second revocation SLA
- ✓ Audit stream export
- ✓ RFC 8693 token exchange
- ✓ Email support
Enterprise
For regulated and high-volume estates.
Contact us- ✓ Unlimited realms
- ✓ Dedicated edge capacity
- ✓ Custom TTL / rotation policy
- ✓ Dashboard SSO
- ✓ SOC 2 report
- ✓ Priority support + SLA
All beta plans are invite-only. Prices shown are indicative and lock when your batch is admitted.
We're onboarding slowly, on purpose.
KeyTrace sits in the authentication path of everything you run, so every beta team gets a hands-on setup review before their realm goes live. Approvals go out roughly every other week, in batches of 50, in the order applications were received.
Join the KeyTrace closed beta
Tell us where tokens hurt today. We'll review for security & fit.
You're on the list.
We admit teams in batches of 50 after a short security & fit review. You'll hear from us at your email when your batch is up.
Book a beta onboarding call
Onboarding calls open to teams in the current approval batch.
Onboarding calls open to teams in the current approval batch. Once your batch is admitted, this calendar will show times reserved for your realm.
Prefer email? [email protected]