REST API Reference

Create a new realm

List all realms

List available themes

Get a realm by name

Update a realm

Delete a realm

Partially update a realm

Send test SMTP email

Export a realm to JSON

Import a realm from JSON

Send a test email

Create a user in a realm

List users in a realm

Get a user by ID

Update a user

Delete a user

Partially update a user

List a user's consents

Get a user's consent history

Set a user password

Send or resend verification email to a user

List offline sessions for a user

Revoke an offline session

Create a client in a realm

List clients in a realm

Get a client by ID

Update a client

Delete a client

Partially update a client

Regenerate client secret

Get service account user for a client

Create a realm role

List realm roles

Get a realm role by name

Update a realm role

Partially update a realm role

Delete a realm role

Create a client role

List client roles

Assign realm roles to a user

List a user's realm roles

Remove realm roles from a user

Assign client roles to a user

List a user's client roles

Remove client roles from a user

Create a group

List all groups (tree structure)

Get group by ID

Update a group

Delete a group

List group members

Add user to group

Add user to group (Keycloak-compat)

Remove user from group

List user's groups

Get group role mappings

Assign roles to group

Remove roles from group

List all active sessions in the realm

List active sessions for a user

Revoke a specific session

Revoke all sessions for a user

Query login events

Clear login events

Query admin events

Export login events (CSV)

Export admin events (CSV)

List client scopes in a realm

Get a client scope

Create a client scope

Update a client scope

Delete a client scope

List protocol mappers for a client scope

Add a protocol mapper to a scope

Update a protocol mapper

Delete a protocol mapper

Get default scopes assigned to a client

Assign a default scope to a client

Remove a default scope from a client

Get optional scopes assigned to a client

Assign an optional scope to a client

Remove an optional scope from a client

Create an identity provider

List identity providers

Get identity provider by alias

Update identity provider

Delete identity provider

Create a user federation provider

List user federation providers

Get a user federation provider

Update a user federation provider

Delete a user federation provider

Test LDAP connection

Trigger full LDAP sync

Register a SAML service provider

List SAML service providers

Get a SAML service provider by ID

Update a SAML service provider

Delete a SAML service provider

Check if user has MFA enabled

Reset/disable MFA for a user

Delete a user's TOTP device

List locked users in a realm

Unlock a locked user

Unlock user (Keycloak-compat alias)

Admin login

Get current admin user info

Admin logout

Create an organization in a realm

List all organizations in a realm

Get an organization by slug

Update an organization

Delete an organization

List members of an organization

Add a user to an organization

Update a member's role

Remove a user from an organization

List invitations for an organization

Create an invitation to an organization

Accept an invitation

Initiate domain verification (issue DNS TXT challenge)

Verify domain ownership via DNS TXT lookup

List SSO connections for an organization

Create an SSO connection for an organization

Get a specific SSO connection

Update an SSO connection

Delete an SSO connection

Create a custom attribute definition for a realm

List custom attribute definitions for a realm

Bulk update custom attribute definitions

Get a custom attribute definition by ID

Update a custom attribute definition

Delete a custom attribute definition

Get attribute values for a user

Set attribute values for a user

Create an NHI identity in a realm

List NHI identities in a realm

Bulk register devices for fleet management

Generate a device certificate (self-signed)

Create a credential rotation policy

List credential rotation policies in a realm

Get a credential rotation policy by ID

Update a credential rotation policy

Delete a credential rotation policy

Get rotation status for a specific policy

Get aggregate rotation status summary

Query NHI audit logs

Clear NHI audit logs

Get an NHI identity by ID

Update an NHI identity

Delete an NHI identity

Suspend an NHI identity

Reactivate a suspended NHI identity

Decommission an NHI identity (irreversible)

Create a credential for an NHI identity

List credentials for an NHI identity

Revoke a credential

Rotate a credential (issue replacement, revoke old)

Set certificate for an NHI identity

Get usage statistics for an NHI identity

Create a service account in a realm

List service accounts in a realm

Get a service account by ID

Update a service account

Delete a service account

Create an API key for a service account

List API keys for a service account

Revoke an API key

Rotate an API key (issue replacement, revoke old)

Get usage metrics for a service account

Create a new SCIM provisioning token

Get all SCIM tokens for the realm

Get a specific SCIM token

Delete a SCIM token

Revoke a SCIM token

Enable a SCIM token

Disable a SCIM token

Get SCIM attribute mappings for the realm

Create a SCIM attribute mapping

Delete a SCIM attribute mapping

Get SCIM provisioning status for the realm

Create a webhook in a realm

List webhooks in a realm

Get a webhook by ID

Update a webhook

Partially update a webhook

Delete a webhook

Send a test event to the webhook

List delivery logs for a webhook

Get dashboard statistics for a realm

Get consent statistics for a realm

Register a new user

Verify email address with token

Resend email verification

Get enabled registration fields for a realm

Get pending registrations

Approve a pending registration

Reject a pending registration

Get all registration fields (admin)

Create a new registration field

Update a registration field

Delete a registration field

Start an admin-impersonation session for a user

End the current admin-impersonation session

Create a new theme

List all themes for a realm

List available built-in themes

Get a theme by ID

Update a theme

Delete a theme

Publish a theme

Get version history for a theme

Restore a theme to a specific version

Render a server-side theme preview

Upload theme assets (logos, favicons, etc.)

List all installed plugins

Get details for a specific plugin

Enable a plugin

Disable a plugin

Uninstall a plugin

Import from Keycloak realm export JSON

Import from Auth0 Management API export

Get server version metadata

Start an upgrade to a target version

Get the most recent upgrade status

Get upgrade history

Get upgrade audit entries for CLI

Get upgrade state by ID

Check if rollback is possible

Execute rollback to previous version

Run pre-upgrade validation checks

Run post-upgrade health checks

Check configuration compatibility for a version

Get wizard status and step information

Get current wizard state

Save admin account (Step 1)

Save realm settings (Step 2)

Save SMTP configuration (Step 3)

Test SMTP connection

Save client application (Step 4)

Mark SDK step as completed (Step 5)

Complete the wizard and finalize setup

Skip the wizard (for advanced users)

Reset wizard state

Create a new authentication flow for a realm

List all authentication flows for a realm

Get a single authentication flow by ID

Update an authentication flow

Delete an authentication flow

Assign a flow to a client

Seed default authentication flows

List recent risk assessments for a realm

Risk score distribution and anomaly trends

Get a single risk assessment by ID

Create a continuous risk policy in a realm

List all continuous risk policies in a realm

Get a single continuous risk policy by ID

Update a continuous risk policy

Delete a continuous risk policy

Enable or disable a continuous risk policy

Update the evaluation priority of a continuous risk policy

List session risk profiles for a realm

Session risk distribution and trends

Get the risk profile for a single session

Trigger an on-demand risk evaluation for a session

List recent continuous risk events for a realm

Continuous verification dashboard (events + score distribution)

Get a single continuous risk event by ID

List session risk profiles for a realm

Get the risk profile for a single session

Get device posture records for a session

Get network context records for a session

Get behavioral biometric samples for a user

Get continuous verification summary for a user

Record device posture from SDK client

Record behavioral biometric samples from SDK client

Record network context from SDK client

Create a policy

List policies

Get a policy

Update a policy

Delete a policy

Evaluate access against policies

Test a single policy

List consent categories

Create a consent category

Get a consent category

Update a consent category

Delete a consent category

List active categories for the consent portal

Create an audit stream

List audit streams

Get an audit stream

Update an audit stream

Delete an audit stream

Authorization endpoint (code flow)

End-session endpoint (GET)

Token endpoint (supports multiple grant types)

Token introspection (RFC 7662)

Token revocation (RFC 7009)

End session / logout

Get user info from access token

Backchannel logout (OIDC back-channel)