Hi, I got this setup for my app: 1. Keycloak server 2. Keycloak-protected nodejs backend (bearer-only) 3. PHP/Reactjs frontend The frontend is optionally login-protected. For some users it will be required to login which will redirect the user to Keycloak server. After a user is logged in, the frontend will have a bearer token to make api calls to the keycloak-protected backend. My problem is how to get a bearer token for users that don't need to be logged in (anonymous users). I tried this approach: 1. Created "confidential" client to be used by PHP. 2. Frontend PHP gets a bearer token using client_id and client_secret and passes them to javascript (by that I mean, printing out token values inside <script> tag which is a global variable) 3. Initially, the frontend makes successful api calls because the access_token passed by php is fresh/valid. 4. After the access_token is expired, I will need to fetch a new one using refresh_token. 5. But, for that I need client_secret which is not available in the js app (and it's not recommended to save client_secret and password in js app, as you know). I'm stuck here. I researched, read a lot of documentation, but failed to find a way to achieve that. One other idea that crossed my mind was to make the bearer access_token long-lived; 6 hours, for instance. But, some users may use the app for more than that. What options do I have? Sent with [ProtonMail](https://protonmail.com) Secure Email.