1. Create your account
Install the admin CLI and log in — your account is created on first login, verified by magic link:2. Create an OAuth client
acs_, shown once). Pin both in your app’s environment, server-side only:
--name is what users see on the consent screen.
The client is created in your CLI’s current mode: sandbox (the default — its users get test cards) or production (live cards, requires an active subscription). Switch with agent-cards-admin env production before creating a production client. See Production.
Building a mobile app, SPA, or distributed CLI that can’t keep a secret? Add
--public for a PKCE-only client with no secret. PKCE is enforced for every client either way.3. Implement OAuth for your users
Your app needs three small pieces — the full flow, with a diagram and every request, is on the OAuth page:- A connect route — when a user hits “Connect with Agentcard”, generate a PKCE verifier +
state, store them for that user, and redirect to Agentcard’s/authorize. - A callback route — Agentcard redirects back with a
code; exchange it (plus the verifier and your client secret) at/tokenand store the tokens keyed to your user. This route must be publicly reachable — use a tunnel in local dev. - Token refresh — when a call returns
401, refresh once and retry. Each refresh rotates the refresh token, so persist the new one.
4. Make authenticated requests
Call the MCP server with each user’s access token and expose the tools it advertises to your agent:tools/list returns dynamically rather than hardcoding names — tools Agentcard adds later then work with zero code change. Details in the MCP overview.
5. Verify in sandbox
Ask your agent to create a card for a connected test user, then confirm it independently with list_cards. A brand-new client seeing zero pre-existing cards is expected — connections only see the cards they created. When you’re ready to go live,agent-cards-admin subscribe activates your org and mints production keys.