Keycloak comes with a fully functional Admin REST API with all features provided by the Admin Console.

To invoke the API you need to obtain an access token with the appropriate permissions. The required permissions are described in Server Administration.

A token can be obtained by enabling authenticating to your application with Keycloak; see the Securing Applications and Services Guide. You can also use direct access grant to obtain an access token.

For complete documentation see API Documentation.

Example using CURL

Obtain access token for user in the realm master with username admin and password password:

curl \
  -d "client_id=admin-cli" \
  -d "username=admin" \
  -d "password=password" \
  -d "grant_type=password" \
By default this token expires in 1 minute

The result will be a JSON document. To invoke the API you need to extract the value of the access_token property. You can then invoke the API by including the value in the Authorization header of requests to the API.

The following example shows how to get the details of the master realm:

curl \
  -H "Authorization: bearer eyJhbGciOiJSUz..." \

Example using Java

There’s a Java client library for the Admin REST API that makes it easy to use from Java. To use it from your application add a dependency on the keycloak-admin-client library.

The following example shows how to use the Java client library to get the details of the master realm:

import org.keycloak.admin.client.Keycloak;
import org.keycloak.representations.idm.RealmRepresentation;

Keycloak keycloak = Keycloak.getInstance(
RealmRepresentation realm = keycloak.realm("master").toRepresentation();

Complete Javadoc for the admin client is available at API Documentation.