generated: '2026-07-15' method: generated source: openapi/keycloak-admin-rest-api-openapi.yml description: Recommended x-agentic-access execution contracts, classified heuristically from the OpenAPI. A governance starting point for exposing this API to AI agents — review and bind audience per deployment. See research/curity/agentic-governance/. summary: operations: 40 by_action_class: connected: 16 acting: 24 by_consequence: read: 16 write: 23 safety-critical: 1 human_in_the_loop_required: 1 operations: - path: / method: get operationId: getRealms x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /{realm} method: get operationId: getRealm x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /{realm} method: put operationId: updateRealm x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /{realm} method: delete operationId: deleteRealm x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /{realm}/users method: get operationId: getUsers x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /{realm}/users method: post operationId: createUser x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /{realm}/users/{userId} method: get operationId: getUser x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /{realm}/users/{userId} method: put operationId: updateUser x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /{realm}/users/{userId} method: delete operationId: deleteUser x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /{realm}/users/{userId}/role-mappings/realm method: get operationId: getUserRealmRoleMappings x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /{realm}/users/{userId}/role-mappings/realm method: post operationId: addUserRealmRoleMappings x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /{realm}/users/{userId}/role-mappings/realm method: delete operationId: deleteUserRealmRoleMappings x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /{realm}/users/{userId}/groups method: get operationId: getUserGroups x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /{realm}/users/{userId}/groups/{groupId} method: put operationId: addUserToGroup x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /{realm}/users/{userId}/groups/{groupId} method: delete operationId: removeUserFromGroup x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /{realm}/users/{userId}/reset-password method: put operationId: resetUserPassword x-agentic-access: action-class: acting consequence: safety-critical subject: required audience: null token: max-ttl: 120 exchange: true purpose-required: true proof-of-possession: true escalation: human-in-the-loop: required audit: required - path: /{realm}/clients method: get operationId: getClients x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /{realm}/clients method: post operationId: createClient x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /{realm}/clients/{clientUuid} method: get operationId: getClient x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /{realm}/clients/{clientUuid} method: put operationId: updateClient x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /{realm}/clients/{clientUuid} method: delete operationId: deleteClient x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /{realm}/clients/{clientUuid}/client-secret method: get operationId: getClientSecret x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /{realm}/clients/{clientUuid}/client-secret method: post operationId: regenerateClientSecret x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /{realm}/roles method: get operationId: getRoles x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /{realm}/roles method: post operationId: createRole x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /{realm}/roles/{roleName} method: get operationId: getRole x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /{realm}/roles/{roleName} method: put operationId: updateRole x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /{realm}/roles/{roleName} method: delete operationId: deleteRole x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /{realm}/groups method: get operationId: getGroups x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /{realm}/groups method: post operationId: createGroup x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /{realm}/groups/{groupId} method: get operationId: getGroup x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /{realm}/groups/{groupId} method: put operationId: updateGroup x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /{realm}/groups/{groupId} method: delete operationId: deleteGroup x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /{realm}/groups/{groupId}/children method: post operationId: createChildGroup x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /{realm}/groups/{groupId}/members method: get operationId: getGroupMembers x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /{realm}/identity-provider/instances method: get operationId: getIdentityProviders x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /{realm}/identity-provider/instances method: post operationId: createIdentityProvider x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /{realm}/identity-provider/instances/{alias} method: get operationId: getIdentityProvider x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /{realm}/identity-provider/instances/{alias} method: put operationId: updateIdentityProvider x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /{realm}/identity-provider/instances/{alias} method: delete operationId: deleteIdentityProvider x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required