By management REST API you mean the API the admin console uses? 

Just to make sure I understand your suggestion correctly:

* I would use the management REST API (same API the admin console uses) from my backend application
* my backend application would need a user ("application user") within the keycloak-admin realm
* when accessing the management REST API, I would add an "Authorization: Bearer ..." header with the token I can obtain from .../auth/rest/realms/MY-REALM/tokens/grants/access


On Tue, Apr 15, 2014 at 3:10 PM, Bill Burke <> wrote:
IMO, you should not use the model directly in your applications.  The
management REST API gives you full access to security metadata.  Use
that.  Plus, in the very near future (after beta-1 release) we'll be
implementing a cache and if you are modifying data directly, there will
be possibilities of this cache using stale data.

On 4/15/2014 4:30 AM, Stian Thorgersen wrote:
> At some point we'll add a Java and REST api's for user management. This will also include being able to register listeners for user events (for example user created, user deleted, etc).
> In the mean time I don't see any issues with using keycloak-model-jpa directly, especially not for read only. This API will quite likely change between versions, and we won't support any backwards compatibility. The "official" user management API once it's ready will be more stable, but I'm not sure when we'll have time to implement that.
> ----- Original Message -----
>> From: "Nils Preusker" <>
>> To:
>> Sent: Tuesday, 15 April, 2014 9:22:44 AM
>> Subject: [keycloak-user] Sharing users
>> Hi, I have a question regarding user management and sharing access to the
>> keycloak database between applications.
>> While the keycloak admin console can be used to manage users, other
>> applications may also need to access the user database. Is there a
>> recommended way of accomplishing this?
>> I've been experimenting with adding keycloak-model-jpa to my .war as a
>> dependency and looking at the bootstrapping in
>> However, I wasn't able
>> to get it to work yet and have the feeling that I might be going the wrong
>> way here.
>> Any hints?
>> Cheers,
>> Nils
>> _______________________________________________
>> keycloak-user mailing list
> _______________________________________________
> keycloak-user mailing list

Bill Burke
JBoss, a division of Red Hat
keycloak-user mailing list