Keycloak

Open-source Identity and Access Management server providing SSO, OAuth2/OIDC, and SAML — self-hosted or via Red Hat SSO managed offering.

Evaluated Mar 06, 2026 (0d ago) vcurrent

Homepage ↗ Repo ↗ Security identity sso iam oauth2 oidc saml open-source self-hosted enterprise

⚙ Agent Friendliness

/ 100

Can an agent use this?

🔒 Security

/ 100

Is it safe for agents?

⚡ Reliability

/ 100

Does it work consistently?

Score Breakdown

⚙ Agent Friendliness

MCP Quality

Documentation

Error Messages

Auth Simplicity

Rate Limits

🔒 Security

TLS Enforcement

Auth Strength

Scope Granularity

Dep. Hygiene

Secret Handling

TLS configuration is operator responsibility — must be enforced at proxy or server level. Supports HSM for key storage. Brute-force protection and CORS must be configured explicitly.

⚡ Reliability

Uptime/SLA

Version Stability

Breaking Changes

Error Recovery

Best When

You need full control over your identity infrastructure, have no external network restrictions, and can invest in operational management of a self-hosted service.

Avoid When

Your team lacks the capacity to operate and maintain a JVM-based clustered service, or you need enterprise SLA guarantees without managing infrastructure.

Use Cases

• Stand up a fully self-hosted OIDC provider with no external dependencies for air-gapped or compliance-sensitive environments
• Federate multiple identity sources (LDAP, Active Directory, social providers) into a single unified token-issuing authority
• Implement fine-grained authorization using Keycloak's Authorization Services (UMA 2.0, RBAC, ABAC) for complex multi-tenant applications
• Automate realm and client configuration via the Admin REST API for GitOps-driven infrastructure provisioning
• Migrate users from a legacy identity system into Keycloak with password hash import, keeping users unaware of the migration

Not For

• Teams without ops capacity to manage JVM-based infrastructure, upgrades, backups, and HA clustering
• Projects needing a fully managed SaaS identity service with zero infrastructure overhead
• Simple API key or service account auth where a lightweight solution would suffice

Interface

REST API

Yes

GraphQL

gRPC

MCP Server

SDK

Yes

Webhooks

Yes

OpenAPI Spec ↗

Authentication

Methods: none

OAuth: Yes Scopes: Yes

Self-hosted — auth is configured by the operator. Admin REST API uses bearer tokens obtained via client credentials or admin-cli. No external auth dependency; all token issuance is local.

Pricing

Model: open_source

Free tier: Yes

Requires CC: No

Core product is free. Red Hat subscription provides enterprise support, patches, and a managed offering. Self-hosting costs are infrastructure only.

Agent Metadata

Pagination

offset

Idempotent

Partial

Retry Guidance

Not documented

Known Gotchas

⚠ Admin REST API paths changed significantly between major versions (v18, v20, v22+) — agents must pin to a specific version or handle 404s gracefully
⚠ Obtaining an admin token requires a separate POST to /realms/master/protocol/openid-connect/token — agents must not confuse realm admin tokens with application user tokens
⚠ Realm import via REST API silently ignores unknown fields; failed partial imports can leave realms in inconsistent state without a clear error
⚠ Session invalidation (logout) requires posting to the end_session endpoint with the ID token hint — calling DELETE on the session resource in the admin API affects different objects
⚠ Offline tokens and refresh tokens have separate expiry policies configurable per realm — agents relying on long-lived refresh tokens must verify realm policy or handle unexpected 400 invalid_grant errors

Alternatives

okta-api cognito-api auth0-api

Full Evaluation Report

Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for Keycloak.

$99

API endpoint ↗ Agent guide ↗ Report inaccuracy

Scores are editorial opinions as of 2026-03-06.