Skip to content
[ Closed beta · admitting teams in batches of 50 ]

The token layer for zero-trust systems.

KeyTrace issues short-lived tokens, rotates them automatically, and revokes any session everywhere in under a second. One identity authority for every service you run — OIDC-native, PKCE by default.

No credit card. Invite-only while we're in closed beta.

token · decoded
access_token · RS256
eyJhbGciOiJSUzI1NiIsImtpZCI6… . eyJpc3MiOiJodHRwczovL2F1dGg… . SflKxwRJSMeKKF2QT4…
Header
{
"alg": "RS256",
"kid": "k9x1p3-2026-03",
"typ": "at+jwt"
}
Payload
{
"iss": "https://auth.keytrace.net",
"realm": "k9x1p3",
"sub": "svc_ledger",
"scope": "token:issue",
"iat": 1711480551,
"exp": 1711480851expires in 5m
}
Signature verified against JWKS · /.well-known/jwks.json
1.2B
tokens issued this quarter
4,100
realms live
<800ms
p99 revocation propagation
99.99%
validation uptime
OIDC Certified OAuth 2.1 PKCE by default SOC 2 — in progress

Standards-native. Nothing proprietary sits in your token path.

Why this exists

Auth used to be a table. Distributed systems broke it.

One database, one sessions row, one cookie. That model quietly broke the moment a single request started fanning out across a dozen services — each needing to answer is this caller who they say they are, and are they still allowed? without a round-trip on every hop.

The bearer token is the right primitive, but it created two problems most teams never fully solve: tokens don't die well, and revocation is a lie. A stolen token stays valid until it expires — so teams set long expiries — and a stateless token you don't check against a database is a token you can't un-issue. KeyTrace is the fast, global authority that closes both gaps.

Long-lived keys

Expiries in hours or days turn a leaked token into a skeleton key.

Revocation theater

You "rotated the key," but which services stopped honoring the old one?

Six validators, one bug

Every service reimplements JWT verification. The sixth one is wrong.

Capabilities

Everything after the login box.

Most auth products stop at sign-in. KeyTrace owns the token's whole life — issue, validate, rotate, revoke — with the latency and revocation guarantees the hot path demands.

Kill a session everywhere in under a second

Revoke a token, a user, or an entire realm. Every edge validator honors it within one propagation cycle — under 800 ms p99 — with a signed record that it happened.

Tokens that expire before they leak

5-minute TTLs with transparent refresh rotation. Long-lived keys become a choice you make on purpose.

TTL 300s

Sub-millisecond verification

Stateless JWT verification against published JWKS runs at the edge. The revocation check adds under a millisecond.

OIDC and OAuth 2.1, done right

Certified flows, PKCE enforced by default, JWKS rotation, RFC 7009 revocation, RFC 8693 token exchange.

Every environment is a sealed realm

Each realm has its own signing keys, policies, and audit stream. Blast radius stops at the realm boundary.

A tamper-evident record of every credential

Every issuance, rotation, and revocation lands in an append-only, signed audit stream. Answer "which tokens were live at 03:14 UTC" without spelunking service logs.

03:14:02Z issue sub=svc_ledger req=req_a91f…
03:16:31Z rotate kid=k9x1p3-2026-03 req=req_b02c…
03:19:48Z revoke sub=svc_ledger req=req_c7d0…
Lifecycle

The life of a token, in four moves.

1

Issue

Your service calls the token endpoint with its client_id / client_secret (PKCE for public clients). KeyTrace mints a 5-minute RS256 access token scoped to a realm.

2

Validate

Any service verifies the token locally against KeyTrace's JWKS — no round-trip — then a sub-millisecond revocation check confirms it's still live.

3

Rotate

Refresh tokens rotate on every use. Keys roll on schedule via kid; old tokens verify until they expire, new ones sign immediately.

4

Revoke

One call to /revoke invalidates a token, a subject, or a whole realm. Every edge honors it in under 800 ms — provably.

The API

A token endpoint you can reason about.

POST /v2/realm/k9x1p3/token/
$ curl -X POST https://auth.keytrace.net/v2/realm/k9x1p3/token/ \
  -H "Content-Type: application/json" \
  -d '{
    "grant_type": "client_credentials",
    "client_id": "$KEYTRACE_CLIENT_ID",
    "client_secret": "$KEYTRACE_CLIENT_SECRET",
    "scope": "token:issue"
  }'
200 OK
{
  "access_token": "eyJhbGciOiJSUzI1NiI…",
  "token_type": "Bearer",
  "expires_in": 300,
  "realm": "k9x1p3"
}
$KEYTRACE_CLIENT_ID is issued when your realm is provisioned — during closed beta, on approval. Request access →
GET https://auth.keytrace.net/ 401 Unauthorized

Unauthenticated? You get a clean JSON envelope — not an HTML error page:

{
  "error": "UNAUTHENTICATED",
  "code": 401,
  "realm": null,
  "hint": "A valid client_id and client_secret
          are required. See
          https://www.keytrace.net/docs",
  "request_id": "req_0000000000000",
  "ts": "2026-03-26T19:35:51.004Z"
}
Every response carries a request_id for support correlation. Full envelope in the docs.
From the beta

Teams that stopped building this themselves.

"We deleted three homegrown JWT middlewares the week we moved to KeyTrace. Revocation that actually works was the thing we couldn't build ourselves."
— Staff Platform Engineer, Series-B fintech
"Five-minute tokens sounded painful until rotation made it invisible. Our leaked-credential blast radius went from 'a week' to 'five minutes.'"
— Head of Application Security, healthcare SaaS
"The docs are the pitch. Correct OAuth 2.1 and PKCE defaults meant our audit conversation got a lot shorter."
— Principal Engineer, infrastructure startup
Pricing

Start on Developer. Grow into a realm per team.

Pricing is finalized as teams leave closed beta. Beta access is free while it lasts.

Developer

$0

For prototypes and side projects.

Request access
  • 1 realm
  • Up to 10K token issuances / mo
  • 5-minute default TTL
  • JWKS + revocation API
  • Community support
Most teams start here

Team

$290/mo

For production teams.

Request access
  • 10 realms
  • 5M issuances / mo
  • Sub-second revocation SLA
  • Audit stream export
  • RFC 8693 token exchange
  • Email support

Enterprise

Custom

For regulated and high-volume estates.

Contact us
  • Unlimited realms
  • Dedicated edge capacity
  • Custom TTL / rotation policy
  • Dashboard SSO
  • SOC 2 report
  • Priority support + SLA

All beta plans are invite-only. Prices shown are indicative and lock when your batch is admitted.

Get access

We're onboarding slowly, on purpose.

KeyTrace sits in the authentication path of everything you run, so every beta team gets a hands-on setup review before their realm goes live. Approvals go out roughly every other week, in batches of 50, in the order applications were received.

Join the KeyTrace closed beta

Tell us where tokens hurt today. We'll review for security & fit.

We admit teams in batches of 50 after a short security & fit review. No timeline is promised.

Book a beta onboarding call

Onboarding calls open to teams in the current approval batch.

March 2026
S
M
T
W
T
F
S
No times available.

Onboarding calls open to teams in the current approval batch. Once your batch is admitted, this calendar will show times reserved for your realm.

Prefer email? beta@keytrace.net