diff --git a/src/pages/sdk/foundry/index.mdx b/src/pages/sdk/foundry/index.mdx
index 18c284e..73cb2e9 100644
--- a/src/pages/sdk/foundry/index.mdx
+++ b/src/pages/sdk/foundry/index.mdx
@@ -315,4 +315,74 @@ The following flags are available for `cast` and `forge script` for Tempo-specif
 
 Ledger and Trezor wallets are not yet compatible with any `--tempo.*` option.
 
+## cast keychain
+
+`cast keychain` provides a CLI interface to Tempo's [Account Keychain precompile](/protocol/transactions/AccountKeychain).
+
+:::info
+`cast keychain` only works on Tempo networks.
+:::
+
+```bash
+# Authorize a new access key (signature types: secp256k1, p256, webauthn; expiry 0 = never):
+cast keychain authorize <KEY_ID> secp256k1 0 \
+  --rpc-url $TEMPO_RPC_URL \
+  --private-key $PRIVATE_KEY
+
+# Authorize with a spending limit (TOKEN:AMOUNT or TOKEN:AMOUNT:PERIOD_SECONDS):
+cast keychain authorize <KEY_ID> secp256k1 0 \
+  --limit <TOKEN_ADDRESS>:1000000 \
+  --rpc-url $TEMPO_RPC_URL \
+  --private-key $PRIVATE_KEY
+
+# Authorize with call scopes (restrict to specific contracts/functions):
+cast keychain authorize <KEY_ID> secp256k1 0 \
+  --scope <TOKEN_ADDRESS>:transfer,approve \
+  --rpc-url $TEMPO_RPC_URL \
+  --private-key $PRIVATE_KEY
+
+# Authorize with call scope restricted to a specific recipient:
+cast keychain authorize <KEY_ID> secp256k1 0 \
+  --scope <TOKEN_ADDRESS>:transfer@<RECIPIENT_ADDRESS> \
+  --rpc-url $TEMPO_RPC_URL \
+  --private-key $PRIVATE_KEY
+
+# Full example: 24h expiry + spending limit + call scope:
+EXPIRY=$(($(date +%s) + 86400))
+cast keychain authorize <KEY_ID> secp256k1 $EXPIRY \
+  --limit <TOKEN_ADDRESS>:1000000 \
+  --scope <TOKEN_ADDRESS>:transfer \
+  --rpc-url $TEMPO_RPC_URL \
+  --private-key $PRIVATE_KEY
+
+# Revoke an access key (permanent, cannot be re-authorized):
+cast keychain revoke <KEY_ID> \
+  --rpc-url $TEMPO_RPC_URL \
+  --private-key $PRIVATE_KEY
+
+# Update spending limit for a key-token pair:
+cast keychain update-limit <KEY_ID> <TOKEN_ADDRESS> <NEW_LIMIT> \
+  --rpc-url $TEMPO_RPC_URL \
+  --private-key $PRIVATE_KEY
+
+# Replace all call scopes for a key:
+cast keychain set-scope <KEY_ID> \
+  --scope <TOKEN_ADDRESS>:transfer \
+  --scope <CONTRACT_ADDRESS> \
+  --rpc-url $TEMPO_RPC_URL \
+  --private-key $PRIVATE_KEY
+
+# Remove a target contract from allowed call list:
+cast keychain remove-scope <KEY_ID> <TARGET_ADDRESS> \
+  --rpc-url $TEMPO_RPC_URL \
+  --private-key $PRIVATE_KEY
+
+# Query key info (read-only):
+cast keychain key-info <ACCOUNT> <KEY_ID> \
+  --rpc-url $TEMPO_RPC_URL
+
+# Query remaining spending limit:
+cast keychain remaining-limit <ACCOUNT> <KEY_ID> <TOKEN_ADDRESS> \
+  --rpc-url $TEMPO_RPC_URL
+```