Hello, I was under impression, that activating TOTP will makes the account unable to use with REST api, but then I've found that people describe how to do that and that is actually supported through 'totp' parameter to the API call. The parameter would have to be added to org.keycloak.admin.client.token.TokenManager:grantToken() method. Rather through some interface for TOTP generator than the one-time code. Were there already any plans to extend the library (keycloak-admin-client) to support TOTP? To my understanding the code like that should work: if (PASSWORD.equals(accessTokenGrantType)) { form.param("username", config.getUsername()) .param("password", config.getPassword()); if (config.getTotpGenerator() != null) { form.param("totp", config.getTotpGenerator().getToken()); } } The caller would have to provide the implementation of TotpGenerator compliant with Keycloak settings and set the secret from otp configuration QR code... Best regards, Lukasz Lech