[keycloak-user] Securing RESTful API Best Practices

Hi, I am very new to Keycloak. I have a RESTful API implemented with json:api <https://jsonapi.org/> spec which I want to secure using Keycloak. I just want to ask the Keycloak community for best practices when it comes to securing RESTful APIs. My endpoints will be something like: GET /api/books --> return all books the user has access for GET /api/books/123 --> return book with id = 123 My challenge now is to figure out how to define resources in Keycloak. Should I add all my books as resources to Keycloak? And then define the permission between each user and resource? What would be the best practice to implement "GET /api/books" to return only the books the logged in user has access to? Should I query the Keycloak API to get all the resources the logged in user has access to, in the backend? Thanks Farzad