allright, found a solution. matchingUri from the source code: https://github.com/keycloak/keycloak/blob/f99299ee3956d138c001769b0fe4bcf... <https://github.com/keycloak/keycloak/blob/f99299ee3956d138c001769b0fe4bcf... looks like a flag that should trigger extra search if no resource is found, calling PathMatcher on each client resource. PathMatcher, https://github.com/keycloak/keycloak/blob/b478472b3578b8980d7b5f1642e91e7... <https://github.com/keycloak/keycloak/blob/b478472b3578b8980d7b5f1642e91e7...;, seems capable of matching /api/alice to /api/{employee}/*, this test passes: @Test public void matches() throws Exception { PathMatcher<Map.Entry<String, String>> pathMatcher = new PathMatcher<Map.Entry<String, String>>() { @Override protected String getPath(Map.Entry<String, String> entry) { return entry.getKey(); } @Override protected Collection<Map.Entry<String, String>> getPaths() { Map<String, String> result = new HashMap<>(); result.put("/api/{employee}/*", "employee resource"); return result.entrySet(); } }; Map.Entry<String, String> matches = pathMatcher.matches("/api/alice"); assertNotNull(matches); assertEquals("employee resource", matches.getValue()); } so the matchingUri param should be set to true and then the resource is found: curl -H “Authorization: Bearer $access_token” \ “$SRV/authz/protection/resource_set?matchingUri=true&uri=%2Fapi%2Falice” [“deed8ae3-41a9-4781-b6c7-cb297516c2c6”] regards, Milan