keycloak-scim/server_development/topics/admin-rest-api.adoc

== Admin REST API

{project_name} comes with a fully functional Admin REST API with all features provided by the Admin Console.

To invoke the API you need to obtain an access token with the appropriate permissions. The required permissions are described in the Server Administration Guide.

You can obtain a token by enabling authentication for your application using {project_name}; see the Securing Applications and Services Guide. You can also use direct access grant to obtain an access token.

=== Examples of using CURL

==== Authenticating with a username and password

.Procedure

. Obtain an access token for the user in the realm `master` with username `admin` and password `password`:
+
[source,bash,subs=+attributes]
----
curl \
  -d "client_id=admin-cli" \
  -d "username=admin" \
  -d "password=password" \
  -d "grant_type=password" \
  "http://localhost:8080{kc_realms_path}/master/protocol/openid-connect/token"
----
+
NOTE: By default this token expires in 1 minute
+
The result will be a JSON document.

. Invoke the API you need by extracting the value of the `access_token` property.

. Invoke the API by including the value in the `Authorization` header of requests to the API.
+
The following example shows how to get the details of the master realm:
+
[source,bash,subs="attributes+"]
----
curl \
  -H "Authorization: bearer eyJhbGciOiJSUz..." \
  "http://localhost:8080{kc_admins_path}/realms/master"
----

==== Authenticating with a service account

To authenticate against the Admin REST API using a `client_id` and a `client_secret`, perform this procedure.

.Procedure

. Make sure the client is configured as follows:

* `client_id` is a **confidential** client that belongs to the realm *master*
* `client_id` has `Service Accounts Enabled` option enabled
* `client_id` has a custom "Audience" mapper
  ** Included Client Audience: `security-admin-console`

. Check that `client_id` has the role 'admin' assigned in the "Service Account Roles" tab.

[source,bash,subs="attributes+"]
----
curl \
  -d "client_id=<YOUR_CLIENT_ID>" \
  -d "client_secret=<YOUR_CLIENT_SECRET>" \
  -d "grant_type=client_credentials" \
  "http://localhost:8080{kc_realms_path}/master/protocol/openid-connect/token"
----

ifeval::[{project_community}==true]
=== Example using Java

There's a Java client library for the Admin REST API that makes it easy to use from Java. To use it from your application add a dependency on the
`keycloak-admin-client` library.

The following example shows how to use the Java client library to get the details of the master realm:

[source,java,subs="attributes+"]
----

import org.keycloak.admin.client.Keycloak;
import org.keycloak.representations.idm.RealmRepresentation;
...

Keycloak keycloak = Keycloak.getInstance(
    "http://localhost:8080{kc_base_path}",
    "master",
    "admin",
    "password",
    "admin-cli");
RealmRepresentation realm = keycloak.realm("master").toRepresentation();
----

Complete Javadoc for the admin client is available at {apidocs_link}[{apidocs_name}].
endif::[]

=== Additional resources
[role="_additional-resources"]
* {adminguide_link}[{adminguide_name}]
* {adapterguide_link}[{adapterguide_name}]
* {apidocs_link}[{apidocs_name}]