📘 Keycloak API Quick Reference Guide

    🎬 API Endpoint Hosted
            https://{keycloak-server}

    🛠️ API Endpoint Localhost:
            http://localhost:8080
                

The Keycloak CRUD API Quick Reference is designed to simplify the process of managing Keycloak resources by providing developers with a straightforward and easily accessible reference for performing Create, Read, Update, and Delete (CRUD) operations. Navigating the official Keycloak documentation can be challenging, so this quick reference serves as a practical tool to streamline your workflow, offering clear API endpoints and example requests to efficiently interact with Keycloak's powerful identity and access management features.

For more APIs please refer to the official Keycloak Admin REST API

Compatible to latest version of keycloak 26.0.7

Keycloak Client Authentication

curl -X POST http://localhost:8080/realms/${realm}/protocol/openid-connect/token \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=client_credentials" \
  -d "client_id=${client_id}" \
  -d "client_secret${client_secret}"
                

Obtain client access token via the OpenID Connect protocol:
http://localhost:8080/realms/{realm}/protocol/openid-connect/token

Status: 200 OK
Response: {
  "access_token": "eyJhbGciOi....wia2lkIiA6ICJ5ZUkwT0Rmc2"
  "expires_in": 300,
  "refresh_expires_in": 0,
  "token_type": "Bearer",
  "not-before-policy": 0,
  "scope": "email profile"
}
                

Headers

Field	Type	Description
Content-Type	String	Required. application/x-www-form-urlencoded.

Request Body

Field	Type	Description
grant_type	String	Required. The type of grant being requested. For this API, it must be client_credentials.
client_id	String	Required. The unique identifier of the client registered in Keycloak.
client_secret	String	Required. The secret key associated with the client for authentication.

Keycloak Client Auth Revocation

curl -X POST http://localhost:8080/realms/${realm}/protocol/openid-connect/revoke \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "token=${client_token}" \
  -d "client_id=${client_id}" \
  -d "client_secret${client_secret}"
                

Revokes an access token or refresh token:
http://localhost:8080/realms/{realm}/protocol/openid-connect/revoke

Status: 200 OK
Response: No Content
                

Headers

Field	Type	Description
Content-Type	String	Application/json.

Request Body

Field	Type	Description
token	String	Required. The token to be revoked.
client_id	String	Required. The unique identifier of the client registered in Keycloak.
client_secret	String	Required. The secret key associated with the client for authentication.

Create Keycloak User

curl -X POST \
  http://localhost:8080/admin/realms/${realm}/users \
  -H "Authorization: Bearer ${access_token}" \
  -H "Content-Type: application/json" \
  -d '{
    "username": "newuser",
    "email": "newuser@example.com",
    "firstName": "New",
    "lastName": "User",
    "enabled": true,
    "emailVerified": true,
    "attributes": {
      "locale": ["en"]
    },
    "credentials": [
      {
        "type": "password",
        "value": "securepassword",
        "temporary": false
      }
    ]
  }'
              

Create user on keycloak:
http://localhost:8080/admin/realms/{realm}/users

Status: 201 CREATED
Response: No Content
              

Headers

Field	Type	Description
Authorization	String	Required. Bearer token obtained using the client JWT.
Content-Type	String	Application/json.

Authenticate Keycloak User

curl -X POST \
  http://localhost:8080/realms/${realm}/protocol/openid-connect/token \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=password" \
  -d "client_id=${client_id}" \
  -d "client_secret=${client_secret}" \
  -d "username=${username}" \
  -d "password=${password}"
              

Authenticate User using username and password:
http://localhost:8080/realms/{realm}/protocol/openid-connect/token

Status: 200 OK
Response: {
  "access_token": "eyJhbGciOi....",
  "expires_in": 300,
  "refresh_expires_in": 1800,
  "refresh_token": "eyJhbGciOi....",
  "token_type": "Bearer",
  "not-before-policy": 0,
  "session_state": "12345-abcde-67890",
  "scope": "email profile"
}
              

Headers

Field	Type	Description
Content-Type	String	Required. application/x-www-form-urlencoded.

Request Body

Field	Type	Description
grant_type	String	Required. Must be password for this flow.
client_id	String	Required. The unique identifier of the client registered in Keycloak.
client_secret	String	Required. The secret key associated with the client for authentication.
username	String	Required. The username of the user trying to authenticate.
password	String	Required. The password of the user trying to authenticate.

Get Keycloak User

curl -X GET \
  http://localhost:8080/admin/realms/${realm}/users/${user_id} \
  -H "Authorization: Bearer ${access_token}" \
  -H "Content-Type: application/json"
              

Get user from keycloak:
http://localhost:8080/admin/realms/{realm}/users/{user_id}

Status: 200 OK
Response: {
    "id": "a42c2e0e-bc82-4297-9b21-e8a4d3c651a0",
    "username": "newuser",
    "firstName": "New",
    "lastName": "User",
    "email": "newuser@example.com",
    "emailVerified": false,
    "createdTimestamp": 1735045474718,
    "enabled": true,
    "totp": false,
    "disableableCredentialTypes": [],
    "requiredActions": [],
    "notBefore": 0,
    "access": {
      "manageGroupMembership": true,
      "view": true,
      "mapRoles": true,
      "impersonate": false,
      "manage": true
    }
}
              

Headers

Field	Type	Description
Authorization	String	Required. Bearer token obtained using the client JWT.
Content-Type	String	Application/json.

Parameters

Field	Type	Description
realm	String	Required. The name of the realm where the user is located.
user_id	String	Required. The unique identifier of the user whose details you want to retrieve.

Find Keycloak User

curl -X GET \
  http://localhost:8080/admin/realms/${realm}/users?username=${username} \
  -H "Authorization: Bearer ${access_token}" \
  -H "Content-Type: application/json"
              

Find user from keycloak using username:
http://localhost:8080/admin/realms/{realm}/users?username={username}

Status: 200 OK
Response: [
{
  "id": "a42c2e0e-bc82-4297-9b21-e8a4d3c651a0",
  "username": "newuser",
  "firstName": "New",
  "lastName": "User",
  "email": "newuser@example.com",
  "emailVerified": false,
  "createdTimestamp": 1735045474718,
  "enabled": true,
  "totp": false,
  "disableableCredentialTypes": [],
  "requiredActions": [],
  "notBefore": 0,
  "access": {
    "manageGroupMembership": true,
    "view": true,
    "mapRoles": true,
    "impersonate": false,
    "manage": true
  }
}
]
              

Headers

Field	Type	Description
Authorization	String	Required. Bearer token obtained using the client JWT.
Content-Type	String	Application/json.

Parameters

Field	Type	Description
realm	String	Required. The name of the realm where the user is located.
username	String	Required. The username of the user whose details you want to retrieve.

Delete Keycloak User

curl -X DELETE \
  http://localhost:8080/admin/realms/${realm}/users/${user_id} \
  -H "Authorization: Bearer ${access_token}" \
  -H "Content-Type: application/json"
              

Delete user from keycloak:
http://localhost:8080/admin/realms/{realm}/users/{user_id}

Status: 204 No Content
Response: No Content
              

Headers

Field	Type	Description
Authorization	String	Required. Bearer token obtained using the client JWT.
Content-Type	String	Application/json.

Parameters

Field	Type	Description
realm	String	Required. The name of the realm where the user is located.
user_id	String	Required. The unique identifier of the user whose details you want to retrieve.

Send Emails to Keycloak User

curl -X PUT \
  http://localhost:8080/admin/realms/${realm}/users/${user_id}/execute-actions-email \
  -H "Authorization: Bearer {access_token}" \
  -H "Content-Type: application/json" \
  -d '["${action}"]'
              

Send an email to the user with a link they can click to execute particular actions. :
hhttp://localhost:8080/admin/realms/{realm}/users/{user_id}/execute-actions-email

Status: 204 No Content
Response: No Content
              

Headers

Field	Type	Description
Authorization	String	Required. Bearer token obtained using the client JWT.
Content-Type	String	Application/json.

Parameters

Field	Type	Description
realm	String	Required. The name of the realm where the user is located.
user_id	String	Required. The unique identifier of the user whose details you want to retrieve.

Request Body

Field	Type	Description
action	String	Required. A list of actions to include in the email, such as ["VERIFY_EMAIL"], ["UPDATE_PASSWORD"], ["CONFIGURE_TOTP"], ["UPDATE_PROFILE"], ["TERMS_AND_CONDITIONS"].