Hi Michal and Tony, I think my confusion lays in the fact that I have an adminuser which is defined in the master realm because that was there during keycloak setup. Then I added a working realm and working client app. And I added users to the working realm and mapped them to a realm based role. And I do that by logging on to keycloak via a local browser, I have to use the admin user defined in master realm. And then I can create users in the working realm and add them to the realm based role. And all of that works. When I browse to a protected resource in my Spring app, I get redirected to keycloak login and after a successful login with an ordinary user, get sent to that resource. Success. So I assumed the same approach would work when using the java api. Builder object based on the admin user, saying that I would use the working realm and the client id. Because I want those new users to be added to the working realm, not the master realm. But obviously this does not work because the permissions are not right, hence the 401 error. I have been basing my code on https://gist.github.com/thomasdarimont/c4e739c5a319cf78a4cff3b87173a84b. As an aside, I am finding that that keycloak does not quite add up. For instance, I tried to use the self register feature in KC. They works in that it adds a user to the working realm but the user is unusable because it is not associated with a role. The answer could be to have a default role for new users. Or it could be to call some SB app code that added the role. Except that there is no post registration feature to redirect to a end point to run this code. And with the api, the Builder object can have completely the wrong information (non existent user, wrong password) and no exception is thrown. I realise that permissions can be caught before they are used (eg a user can look but not create) so it is only when a non permissible action is called that an exception is called. But the wrong authentication? So does the api have the same workflow as the browser admin? Regards, John ------ Original Message ------ From: "Michal Hajas" <mhajas(a)redhat.com&gt; To: "John Norris" <johnnorris-10(a)outlook.com&gt; Cc: &quot;keycloak-user(a)lists.jboss.org&quot; <keycloak-user(a)lists.jboss.org&gt; Sent: 06/12/2019 09:33:41 Subject: Re: [keycloak-user] create user via java api Have you changed clientId to some from master realm? In testsuite we are using "admin-cli" client. Michal ------ Original Message ------ From: "Tony Harris" <Tony.Harris@oneadvanced.com<mailto:Tony.Harris@oneadvanced.com>> To: "John Norris" <johnnorris-10@outlook.com<mailto:johnnorris-10@outlook.com>> Sent: 06/12/2019 09:23:54 Subject: RE: Re[2]: create user via java api John, I will tell you what I did when I was playing in this very area. We have an app that allows some users to manager users and few other bits and pieces in the realm. We created a confidential client in the realm we want users to be able to manage. We did not assign realm management rights to any normal users. Instead we used Spring Security to restrict access to functions that allow user creation/maintence by saying users with role X can do this. Then we used the RestTemplate to obtain a server side bearer token for the service account that we enabled when we created the confidential client, the service account was assigned the realm management rights and can do the required realm management functions within out SpringBoot application. For us this meant that if any single normal user account was compromised or that user tried to gain access to the keycloak console, they could not be used to manage the realm. Back when we did want individual users able to manage a realm the user was created in that realm and given the rights based on the relam-management client roles.