[[_access_types]]
= Client Access Types

When you create a Client in admin console you may be wondering what the "Access Types" are. 

confidential::
  Confidential access type is for clients that need to perform a browser login and that you want to require a client secret when they turn an access code into an access token, (see http://tools.ietf.org/html/rfc6749#section-4.1.3[Access Token Request] in the OAuth 2.0 spec for more details).  The advantages of this is that it is a little extra security.
  Since Keycloak requires you to register valid redirect-uris, I'm not exactly sure what this little extra security is though.
  :) The disadvantages of this access type is that confidential access type is pointless for pure Javascript clients as anybody could easily figure out your client's secret! 

public::
  Public access type is for clients that need to perform a browser login and that you feel that the added extra security of confidential access type is not needed.
  FYI, Pure javascript clients are by nature public. 

bearer-only::
  Bearer-only access type means that the application only allows bearer token requests.
  If this is turned on, this application cannot participate in browser logins. 

direct access only::
  You would also see a "Direct Access Only" switch when creating the Client.
  This switch is for clients that only use the  <<_direct_access_grants,Direct Access Grant>>                        protocol to obtain access tokens.