naftiko: 1.0.0-alpha2 info: label: Keycloak Admin REST API description: The Keycloak Admin REST API provides endpoints for managing all aspects of a Keycloak deployment, including realms, users, clients, roles, groups, and identity providers. All endpoints require authentication via a bearer token obtained from the Keycloak token endpoint. tags: - Keycloak - API created: '2026-05-06' modified: '2026-05-06' capability: consumes: - type: http namespace: keycloak baseUri: https://localhost:8080/admin/realms description: Keycloak Admin REST API HTTP API. authentication: type: bearer token: '{{KEYCLOAK_TOKEN}}' resources: - name: resource path: / operations: - name: getrealms method: GET description: Keycloak List all realms inputParameters: - name: briefRepresentation in: query type: boolean outputRawFormat: json outputParameters: - name: result type: object value: $. - name: realm path: /{realm} operations: - name: getrealm method: GET description: Keycloak Get a realm outputRawFormat: json outputParameters: - name: result type: object value: $. - name: updaterealm method: PUT description: Keycloak Update a realm outputRawFormat: json outputParameters: - name: result type: object value: $. - name: deleterealm method: DELETE description: Keycloak Delete a realm outputRawFormat: json outputParameters: - name: result type: object value: $. - name: realm-users path: /{realm}/users operations: - name: getusers method: GET description: Keycloak List users inputParameters: - name: search in: query type: string description: Search string for username, first name, last name, or email - name: username in: query type: string - name: email in: query type: string - name: firstName in: query type: string - name: lastName in: query type: string - name: enabled in: query type: boolean - name: first in: query type: integer description: Pagination offset - name: max in: query type: integer description: Maximum results size - name: briefRepresentation in: query type: boolean outputRawFormat: json outputParameters: - name: result type: object value: $. - name: createuser method: POST description: Keycloak Create a new user outputRawFormat: json outputParameters: - name: result type: object value: $. - name: realm-users-userid path: /{realm}/users/{userId} operations: - name: getuser method: GET description: Keycloak Get a user outputRawFormat: json outputParameters: - name: result type: object value: $. - name: updateuser method: PUT description: Keycloak Update a user outputRawFormat: json outputParameters: - name: result type: object value: $. - name: deleteuser method: DELETE description: Keycloak Delete a user outputRawFormat: json outputParameters: - name: result type: object value: $. - name: realm-users-userid-role-mappings-realm path: /{realm}/users/{userId}/role-mappings/realm operations: - name: getuserrealmrolemappings method: GET description: Keycloak Get realm-level role mappings for a user outputRawFormat: json outputParameters: - name: result type: object value: $. - name: adduserrealmrolemappings method: POST description: Keycloak Add realm-level role mappings to a user outputRawFormat: json outputParameters: - name: result type: object value: $. - name: deleteuserrealmrolemappings method: DELETE description: Keycloak Remove realm-level role mappings from a user outputRawFormat: json outputParameters: - name: result type: object value: $. - name: realm-users-userid-groups path: /{realm}/users/{userId}/groups operations: - name: getusergroups method: GET description: Keycloak Get groups for a user outputRawFormat: json outputParameters: - name: result type: object value: $. - name: realm-users-userid-groups-groupid path: /{realm}/users/{userId}/groups/{groupId} operations: - name: addusertogroup method: PUT description: Keycloak Add a user to a group outputRawFormat: json outputParameters: - name: result type: object value: $. - name: removeuserfromgroup method: DELETE description: Keycloak Remove a user from a group outputRawFormat: json outputParameters: - name: result type: object value: $. - name: realm-users-userid-reset-password path: /{realm}/users/{userId}/reset-password operations: - name: resetuserpassword method: PUT description: Keycloak Reset a user's password outputRawFormat: json outputParameters: - name: result type: object value: $. - name: realm-clients path: /{realm}/clients operations: - name: getclients method: GET description: Keycloak List clients inputParameters: - name: clientId in: query type: string description: Filter by clientId - name: search in: query type: boolean - name: first in: query type: integer - name: max in: query type: integer - name: viewableOnly in: query type: boolean outputRawFormat: json outputParameters: - name: result type: object value: $. - name: createclient method: POST description: Keycloak Create a new client outputRawFormat: json outputParameters: - name: result type: object value: $. - name: realm-clients-clientuuid path: /{realm}/clients/{clientUuid} operations: - name: getclient method: GET description: Keycloak Get a client outputRawFormat: json outputParameters: - name: result type: object value: $. - name: updateclient method: PUT description: Keycloak Update a client outputRawFormat: json outputParameters: - name: result type: object value: $. - name: deleteclient method: DELETE description: Keycloak Delete a client outputRawFormat: json outputParameters: - name: result type: object value: $. - name: realm-clients-clientuuid-client-secret path: /{realm}/clients/{clientUuid}/client-secret operations: - name: getclientsecret method: GET description: Keycloak Get the client secret outputRawFormat: json outputParameters: - name: result type: object value: $. - name: regenerateclientsecret method: POST description: Keycloak Regenerate the client secret outputRawFormat: json outputParameters: - name: result type: object value: $. - name: realm-roles path: /{realm}/roles operations: - name: getroles method: GET description: Keycloak List realm-level roles inputParameters: - name: search in: query type: string - name: first in: query type: integer - name: max in: query type: integer - name: briefRepresentation in: query type: boolean outputRawFormat: json outputParameters: - name: result type: object value: $. - name: createrole method: POST description: Keycloak Create a realm-level role outputRawFormat: json outputParameters: - name: result type: object value: $. - name: realm-roles-rolename path: /{realm}/roles/{roleName} operations: - name: getrole method: GET description: Keycloak Get a realm-level role by name outputRawFormat: json outputParameters: - name: result type: object value: $. - name: updaterole method: PUT description: Keycloak Update a realm-level role outputRawFormat: json outputParameters: - name: result type: object value: $. - name: deleterole method: DELETE description: Keycloak Delete a realm-level role outputRawFormat: json outputParameters: - name: result type: object value: $. - name: realm-groups path: /{realm}/groups operations: - name: getgroups method: GET description: Keycloak List groups inputParameters: - name: search in: query type: string - name: first in: query type: integer - name: max in: query type: integer - name: briefRepresentation in: query type: boolean outputRawFormat: json outputParameters: - name: result type: object value: $. - name: creategroup method: POST description: Keycloak Create a top-level group outputRawFormat: json outputParameters: - name: result type: object value: $. - name: realm-groups-groupid path: /{realm}/groups/{groupId} operations: - name: getgroup method: GET description: Keycloak Get a group outputRawFormat: json outputParameters: - name: result type: object value: $. - name: updategroup method: PUT description: Keycloak Update a group outputRawFormat: json outputParameters: - name: result type: object value: $. - name: deletegroup method: DELETE description: Keycloak Delete a group outputRawFormat: json outputParameters: - name: result type: object value: $. - name: realm-groups-groupid-children path: /{realm}/groups/{groupId}/children operations: - name: createchildgroup method: POST description: Keycloak Create a child group outputRawFormat: json outputParameters: - name: result type: object value: $. - name: realm-groups-groupid-members path: /{realm}/groups/{groupId}/members operations: - name: getgroupmembers method: GET description: Keycloak Get members of a group inputParameters: - name: first in: query type: integer - name: max in: query type: integer outputRawFormat: json outputParameters: - name: result type: object value: $. - name: realm-identity-provider-instances path: /{realm}/identity-provider/instances operations: - name: getidentityproviders method: GET description: Keycloak List identity providers outputRawFormat: json outputParameters: - name: result type: object value: $. - name: createidentityprovider method: POST description: Keycloak Create an identity provider outputRawFormat: json outputParameters: - name: result type: object value: $. - name: realm-identity-provider-instances-alias path: /{realm}/identity-provider/instances/{alias} operations: - name: getidentityprovider method: GET description: Keycloak Get an identity provider outputRawFormat: json outputParameters: - name: result type: object value: $. - name: updateidentityprovider method: PUT description: Keycloak Update an identity provider outputRawFormat: json outputParameters: - name: result type: object value: $. - name: deleteidentityprovider method: DELETE description: Keycloak Delete an identity provider outputRawFormat: json outputParameters: - name: result type: object value: $. exposes: - type: rest port: 8080 namespace: keycloak-rest description: REST adapter for Keycloak Admin REST API. resources: - path: / name: getrealms operations: - method: GET name: getrealms description: Keycloak List all realms call: keycloak.getrealms outputParameters: - type: object mapping: $. - path: /{realm} name: getrealm operations: - method: GET name: getrealm description: Keycloak Get a realm call: keycloak.getrealm outputParameters: - type: object mapping: $. - path: /{realm} name: updaterealm operations: - method: PUT name: updaterealm description: Keycloak Update a realm call: keycloak.updaterealm outputParameters: - type: object mapping: $. - path: /{realm} name: deleterealm operations: - method: DELETE name: deleterealm description: Keycloak Delete a realm call: keycloak.deleterealm outputParameters: - type: object mapping: $. - path: /{realm}/users name: getusers operations: - method: GET name: getusers description: Keycloak List users call: keycloak.getusers outputParameters: - type: object mapping: $. - path: /{realm}/users name: createuser operations: - method: POST name: createuser description: Keycloak Create a new user call: keycloak.createuser outputParameters: - type: object mapping: $. - path: /{realm}/users/{userId} name: getuser operations: - method: GET name: getuser description: Keycloak Get a user call: keycloak.getuser outputParameters: - type: object mapping: $. - path: /{realm}/users/{userId} name: updateuser operations: - method: PUT name: updateuser description: Keycloak Update a user call: keycloak.updateuser outputParameters: - type: object mapping: $. - path: /{realm}/users/{userId} name: deleteuser operations: - method: DELETE name: deleteuser description: Keycloak Delete a user call: keycloak.deleteuser outputParameters: - type: object mapping: $. - path: /{realm}/users/{userId}/role-mappings/realm name: getuserrealmrolemappings operations: - method: GET name: getuserrealmrolemappings description: Keycloak Get realm-level role mappings for a user call: keycloak.getuserrealmrolemappings outputParameters: - type: object mapping: $. - path: /{realm}/users/{userId}/role-mappings/realm name: adduserrealmrolemappings operations: - method: POST name: adduserrealmrolemappings description: Keycloak Add realm-level role mappings to a user call: keycloak.adduserrealmrolemappings outputParameters: - type: object mapping: $. - path: /{realm}/users/{userId}/role-mappings/realm name: deleteuserrealmrolemappings operations: - method: DELETE name: deleteuserrealmrolemappings description: Keycloak Remove realm-level role mappings from a user call: keycloak.deleteuserrealmrolemappings outputParameters: - type: object mapping: $. - path: /{realm}/users/{userId}/groups name: getusergroups operations: - method: GET name: getusergroups description: Keycloak Get groups for a user call: keycloak.getusergroups outputParameters: - type: object mapping: $. - path: /{realm}/users/{userId}/groups/{groupId} name: addusertogroup operations: - method: PUT name: addusertogroup description: Keycloak Add a user to a group call: keycloak.addusertogroup outputParameters: - type: object mapping: $. - path: /{realm}/users/{userId}/groups/{groupId} name: removeuserfromgroup operations: - method: DELETE name: removeuserfromgroup description: Keycloak Remove a user from a group call: keycloak.removeuserfromgroup outputParameters: - type: object mapping: $. - path: /{realm}/users/{userId}/reset-password name: resetuserpassword operations: - method: PUT name: resetuserpassword description: Keycloak Reset a user's password call: keycloak.resetuserpassword outputParameters: - type: object mapping: $. - path: /{realm}/clients name: getclients operations: - method: GET name: getclients description: Keycloak List clients call: keycloak.getclients outputParameters: - type: object mapping: $. - path: /{realm}/clients name: createclient operations: - method: POST name: createclient description: Keycloak Create a new client call: keycloak.createclient outputParameters: - type: object mapping: $. - path: /{realm}/clients/{clientUuid} name: getclient operations: - method: GET name: getclient description: Keycloak Get a client call: keycloak.getclient outputParameters: - type: object mapping: $. - path: /{realm}/clients/{clientUuid} name: updateclient operations: - method: PUT name: updateclient description: Keycloak Update a client call: keycloak.updateclient outputParameters: - type: object mapping: $. - path: /{realm}/clients/{clientUuid} name: deleteclient operations: - method: DELETE name: deleteclient description: Keycloak Delete a client call: keycloak.deleteclient outputParameters: - type: object mapping: $. - path: /{realm}/clients/{clientUuid}/client-secret name: getclientsecret operations: - method: GET name: getclientsecret description: Keycloak Get the client secret call: keycloak.getclientsecret outputParameters: - type: object mapping: $. - path: /{realm}/clients/{clientUuid}/client-secret name: regenerateclientsecret operations: - method: POST name: regenerateclientsecret description: Keycloak Regenerate the client secret call: keycloak.regenerateclientsecret outputParameters: - type: object mapping: $. - path: /{realm}/roles name: getroles operations: - method: GET name: getroles description: Keycloak List realm-level roles call: keycloak.getroles outputParameters: - type: object mapping: $. - path: /{realm}/roles name: createrole operations: - method: POST name: createrole description: Keycloak Create a realm-level role call: keycloak.createrole outputParameters: - type: object mapping: $. - path: /{realm}/roles/{roleName} name: getrole operations: - method: GET name: getrole description: Keycloak Get a realm-level role by name call: keycloak.getrole outputParameters: - type: object mapping: $. - path: /{realm}/roles/{roleName} name: updaterole operations: - method: PUT name: updaterole description: Keycloak Update a realm-level role call: keycloak.updaterole outputParameters: - type: object mapping: $. - path: /{realm}/roles/{roleName} name: deleterole operations: - method: DELETE name: deleterole description: Keycloak Delete a realm-level role call: keycloak.deleterole outputParameters: - type: object mapping: $. - path: /{realm}/groups name: getgroups operations: - method: GET name: getgroups description: Keycloak List groups call: keycloak.getgroups outputParameters: - type: object mapping: $. - path: /{realm}/groups name: creategroup operations: - method: POST name: creategroup description: Keycloak Create a top-level group call: keycloak.creategroup outputParameters: - type: object mapping: $. - path: /{realm}/groups/{groupId} name: getgroup operations: - method: GET name: getgroup description: Keycloak Get a group call: keycloak.getgroup outputParameters: - type: object mapping: $. - path: /{realm}/groups/{groupId} name: updategroup operations: - method: PUT name: updategroup description: Keycloak Update a group call: keycloak.updategroup outputParameters: - type: object mapping: $. - path: /{realm}/groups/{groupId} name: deletegroup operations: - method: DELETE name: deletegroup description: Keycloak Delete a group call: keycloak.deletegroup outputParameters: - type: object mapping: $. - path: /{realm}/groups/{groupId}/children name: createchildgroup operations: - method: POST name: createchildgroup description: Keycloak Create a child group call: keycloak.createchildgroup outputParameters: - type: object mapping: $. - path: /{realm}/groups/{groupId}/members name: getgroupmembers operations: - method: GET name: getgroupmembers description: Keycloak Get members of a group call: keycloak.getgroupmembers outputParameters: - type: object mapping: $. - path: /{realm}/identity-provider/instances name: getidentityproviders operations: - method: GET name: getidentityproviders description: Keycloak List identity providers call: keycloak.getidentityproviders outputParameters: - type: object mapping: $. - path: /{realm}/identity-provider/instances name: createidentityprovider operations: - method: POST name: createidentityprovider description: Keycloak Create an identity provider call: keycloak.createidentityprovider outputParameters: - type: object mapping: $. - path: /{realm}/identity-provider/instances/{alias} name: getidentityprovider operations: - method: GET name: getidentityprovider description: Keycloak Get an identity provider call: keycloak.getidentityprovider outputParameters: - type: object mapping: $. - path: /{realm}/identity-provider/instances/{alias} name: updateidentityprovider operations: - method: PUT name: updateidentityprovider description: Keycloak Update an identity provider call: keycloak.updateidentityprovider outputParameters: - type: object mapping: $. - path: /{realm}/identity-provider/instances/{alias} name: deleteidentityprovider operations: - method: DELETE name: deleteidentityprovider description: Keycloak Delete an identity provider call: keycloak.deleteidentityprovider outputParameters: - type: object mapping: $. - type: mcp port: 9090 namespace: keycloak-mcp transport: http description: MCP adapter for Keycloak Admin REST API for AI agent use. tools: - name: getrealms description: Keycloak List all realms hints: readOnly: true destructive: false idempotent: true call: keycloak.getrealms with: briefRepresentation: tools.briefRepresentation inputParameters: - name: briefRepresentation type: boolean description: briefRepresentation outputParameters: - type: object mapping: $. - name: getrealm description: Keycloak Get a realm hints: readOnly: true destructive: false idempotent: true call: keycloak.getrealm outputParameters: - type: object mapping: $. - name: updaterealm description: Keycloak Update a realm hints: readOnly: false destructive: false idempotent: true call: keycloak.updaterealm outputParameters: - type: object mapping: $. - name: deleterealm description: Keycloak Delete a realm hints: readOnly: false destructive: true idempotent: true call: keycloak.deleterealm outputParameters: - type: object mapping: $. - name: getusers description: Keycloak List users hints: readOnly: true destructive: false idempotent: true call: keycloak.getusers with: search: tools.search username: tools.username email: tools.email firstName: tools.firstName lastName: tools.lastName enabled: tools.enabled first: tools.first max: tools.max briefRepresentation: tools.briefRepresentation inputParameters: - name: search type: string description: Search string for username, first name, last name, or email - name: username type: string description: username - name: email type: string description: email - name: firstName type: string description: firstName - name: lastName type: string description: lastName - name: enabled type: boolean description: enabled - name: first type: integer description: Pagination offset - name: max type: integer description: Maximum results size - name: briefRepresentation type: boolean description: briefRepresentation outputParameters: - type: object mapping: $. - name: createuser description: Keycloak Create a new user hints: readOnly: false destructive: false idempotent: false call: keycloak.createuser outputParameters: - type: object mapping: $. - name: getuser description: Keycloak Get a user hints: readOnly: true destructive: false idempotent: true call: keycloak.getuser outputParameters: - type: object mapping: $. - name: updateuser description: Keycloak Update a user hints: readOnly: false destructive: false idempotent: true call: keycloak.updateuser outputParameters: - type: object mapping: $. - name: deleteuser description: Keycloak Delete a user hints: readOnly: false destructive: true idempotent: true call: keycloak.deleteuser outputParameters: - type: object mapping: $. - name: getuserrealmrolemappings description: Keycloak Get realm-level role mappings for a user hints: readOnly: true destructive: false idempotent: true call: keycloak.getuserrealmrolemappings outputParameters: - type: object mapping: $. - name: adduserrealmrolemappings description: Keycloak Add realm-level role mappings to a user hints: readOnly: false destructive: false idempotent: false call: keycloak.adduserrealmrolemappings outputParameters: - type: object mapping: $. - name: deleteuserrealmrolemappings description: Keycloak Remove realm-level role mappings from a user hints: readOnly: false destructive: true idempotent: true call: keycloak.deleteuserrealmrolemappings outputParameters: - type: object mapping: $. - name: getusergroups description: Keycloak Get groups for a user hints: readOnly: true destructive: false idempotent: true call: keycloak.getusergroups outputParameters: - type: object mapping: $. - name: addusertogroup description: Keycloak Add a user to a group hints: readOnly: false destructive: false idempotent: true call: keycloak.addusertogroup outputParameters: - type: object mapping: $. - name: removeuserfromgroup description: Keycloak Remove a user from a group hints: readOnly: false destructive: true idempotent: true call: keycloak.removeuserfromgroup outputParameters: - type: object mapping: $. - name: resetuserpassword description: Keycloak Reset a user's password hints: readOnly: false destructive: false idempotent: true call: keycloak.resetuserpassword outputParameters: - type: object mapping: $. - name: getclients description: Keycloak List clients hints: readOnly: true destructive: false idempotent: true call: keycloak.getclients with: clientId: tools.clientId search: tools.search first: tools.first max: tools.max viewableOnly: tools.viewableOnly inputParameters: - name: clientId type: string description: Filter by clientId - name: search type: boolean description: search - name: first type: integer description: first - name: max type: integer description: max - name: viewableOnly type: boolean description: viewableOnly outputParameters: - type: object mapping: $. - name: createclient description: Keycloak Create a new client hints: readOnly: false destructive: false idempotent: false call: keycloak.createclient outputParameters: - type: object mapping: $. - name: getclient description: Keycloak Get a client hints: readOnly: true destructive: false idempotent: true call: keycloak.getclient outputParameters: - type: object mapping: $. - name: updateclient description: Keycloak Update a client hints: readOnly: false destructive: false idempotent: true call: keycloak.updateclient outputParameters: - type: object mapping: $. - name: deleteclient description: Keycloak Delete a client hints: readOnly: false destructive: true idempotent: true call: keycloak.deleteclient outputParameters: - type: object mapping: $. - name: getclientsecret description: Keycloak Get the client secret hints: readOnly: true destructive: false idempotent: true call: keycloak.getclientsecret outputParameters: - type: object mapping: $. - name: regenerateclientsecret description: Keycloak Regenerate the client secret hints: readOnly: false destructive: false idempotent: false call: keycloak.regenerateclientsecret outputParameters: - type: object mapping: $. - name: getroles description: Keycloak List realm-level roles hints: readOnly: true destructive: false idempotent: true call: keycloak.getroles with: search: tools.search first: tools.first max: tools.max briefRepresentation: tools.briefRepresentation inputParameters: - name: search type: string description: search - name: first type: integer description: first - name: max type: integer description: max - name: briefRepresentation type: boolean description: briefRepresentation outputParameters: - type: object mapping: $. - name: createrole description: Keycloak Create a realm-level role hints: readOnly: false destructive: false idempotent: false call: keycloak.createrole outputParameters: - type: object mapping: $. - name: getrole description: Keycloak Get a realm-level role by name hints: readOnly: true destructive: false idempotent: true call: keycloak.getrole outputParameters: - type: object mapping: $. - name: updaterole description: Keycloak Update a realm-level role hints: readOnly: false destructive: false idempotent: true call: keycloak.updaterole outputParameters: - type: object mapping: $. - name: deleterole description: Keycloak Delete a realm-level role hints: readOnly: false destructive: true idempotent: true call: keycloak.deleterole outputParameters: - type: object mapping: $. - name: getgroups description: Keycloak List groups hints: readOnly: true destructive: false idempotent: true call: keycloak.getgroups with: search: tools.search first: tools.first max: tools.max briefRepresentation: tools.briefRepresentation inputParameters: - name: search type: string description: search - name: first type: integer description: first - name: max type: integer description: max - name: briefRepresentation type: boolean description: briefRepresentation outputParameters: - type: object mapping: $. - name: creategroup description: Keycloak Create a top-level group hints: readOnly: false destructive: false idempotent: false call: keycloak.creategroup outputParameters: - type: object mapping: $. - name: getgroup description: Keycloak Get a group hints: readOnly: true destructive: false idempotent: true call: keycloak.getgroup outputParameters: - type: object mapping: $. - name: updategroup description: Keycloak Update a group hints: readOnly: false destructive: false idempotent: true call: keycloak.updategroup outputParameters: - type: object mapping: $. - name: deletegroup description: Keycloak Delete a group hints: readOnly: false destructive: true idempotent: true call: keycloak.deletegroup outputParameters: - type: object mapping: $. - name: createchildgroup description: Keycloak Create a child group hints: readOnly: false destructive: false idempotent: false call: keycloak.createchildgroup outputParameters: - type: object mapping: $. - name: getgroupmembers description: Keycloak Get members of a group hints: readOnly: true destructive: false idempotent: true call: keycloak.getgroupmembers with: first: tools.first max: tools.max inputParameters: - name: first type: integer description: first - name: max type: integer description: max outputParameters: - type: object mapping: $. - name: getidentityproviders description: Keycloak List identity providers hints: readOnly: true destructive: false idempotent: true call: keycloak.getidentityproviders outputParameters: - type: object mapping: $. - name: createidentityprovider description: Keycloak Create an identity provider hints: readOnly: false destructive: false idempotent: false call: keycloak.createidentityprovider outputParameters: - type: object mapping: $. - name: getidentityprovider description: Keycloak Get an identity provider hints: readOnly: true destructive: false idempotent: true call: keycloak.getidentityprovider outputParameters: - type: object mapping: $. - name: updateidentityprovider description: Keycloak Update an identity provider hints: readOnly: false destructive: false idempotent: true call: keycloak.updateidentityprovider outputParameters: - type: object mapping: $. - name: deleteidentityprovider description: Keycloak Delete an identity provider hints: readOnly: false destructive: true idempotent: true call: keycloak.deleteidentityprovider outputParameters: - type: object mapping: $. binds: - namespace: env keys: KEYCLOAK_TOKEN: KEYCLOAK_TOKEN