Integrations
Connect Keycloak
Connect Keycloak as an Authorization Server in Apiable. Enter the Server URL, Realm, DCR endpoint and credentials, save, then run Test Connection.
You connect Keycloak as an Authorization Server under Integrations → Authorization Servers. You enter your Keycloak server and realm, the Dynamic Client Registration endpoint and its credentials, then save and test the connection. After that, Apiable can register a client per subscription on your realm.
Where do you connect Keycloak?
Go to Integrations → Authorization Servers, choose + Add AuthZ, select Keycloak on the Select Authorization Server type screen, then choose Connect Authorization Server.
- Open Integrations → Authorization Servers.
- Choose + Add AuthZ.
- On Select Authorization Server type, select Keycloak.
- Choose Connect Authorization Server. The Keycloak connection form opens, titled Keycloak Configuration.
What does each Keycloak field mean?
The form is grouped into a name, a Server section, a DCR Credentials section, and an optional Admin API section. Fill in the required fields, then save.
| Field | Section | What to enter |
|---|---|---|
| Name | (top) | A label for this connection inside Apiable. Required. |
| Server URL | Server | Your Keycloak base URL, for example https://keycloak.example.com. Required. |
| Realm | Server | The Keycloak realm that holds your clients and scopes. Required. |
| DCR Endpoint | Server | The Dynamic Client Registration endpoint. Apiable fills this in for you from the Server URL and Realm; override it only if yours differs. |
| DCR Client ID | DCR Credentials | The client ID Apiable uses to register clients. Required. |
| DCR Client Secret | DCR Credentials | The secret for that client. Required. |
| Admin API Client ID | Admin API (optional) | A client ID for the Keycloak Admin REST API. Optional. |
| Admin API Client Secret | Admin API (optional) | The secret for the Admin API client. Optional. |
| Force Admin API for scope binding (advanced) | Admin API (optional) | A checkbox. Turn it on to make Apiable manage clients through the Admin REST API instead of the standard DCR endpoint. |
When do you need the Admin API credentials?
Only when you want Apiable to manage subscription clients through the Keycloak Admin REST API instead of the standard Dynamic Client Registration endpoint. The Admin API section is optional, and most connections do not need it.
Apiable uses the standard DCR endpoint by default. Provide the Admin API Client ID and Secret and tick Force Admin API for scope binding (advanced) if your Keycloak setup requires the Admin REST API path.
How do you save and test the connection?
Click Save. Apiable stores the credentials and runs OIDC discovery in the background. Open the saved server and click Test Connection to confirm Keycloak is reachable. The status reads Connected, Error, or Not tested.
- Click Save. On a new connection the button reads Save; when you edit an existing one it reads Save & Test Connection and runs a test automatically.
- Apiable kicks off OIDC discovery for the realm. The results appear under Discovered Auth Methods.
- Click Test Connection to check reachability. Apiable calls your realm's OpenID configuration endpoint.
- Read the status: a green dot and Connected means the realm responded; Error shows the failing URL; Not tested means no test has run yet.
What are Discovered Auth Methods?
Discovered Auth Methods lists the token endpoint authentication methods your realm advertises that Apiable supports. Apiable reads them from your realm's OpenID configuration and shows the supported subset: client_secret_basic and private_key_jwt.
Use Refresh in that panel to re-run discovery after you change the realm. The panel shows when it last refreshed, and surfaces a discovery error if the realm could not be read.
How do you confirm DCR works?
On a saved connection, use Register Test Client in the status bar. Apiable registers a throwaway client through your DCR configuration and shows its Client ID and Client Secret.
The secret is shown once, with the note "Copy these now, the secret will not be shown again." This confirms your DCR endpoint and credentials are working end to end.
Troubleshooting
Match the status or message to the fix.
| What you see | What to do |
|---|---|
| Status Not tested | No connection test has run yet. Open the server and click Test Connection. |
| Status Error with "Keycloak returned ..." | Test Connection reached Keycloak but the realm endpoint returned a non-200. Check the Realm spelling and that the realm exists. |
| Status Error with "Failed to reach Keycloak at ..." | Apiable could not reach the URL. Check the Server URL and that Keycloak is reachable from Apiable. |
| Discovered Auth Methods shows a dash and a discovery error | OIDC discovery failed. Confirm the Server URL and Realm resolve to a valid .well-known/openid-configuration, then click Refresh. |
| Discovery error "Connection timeout after 5s" | The discovery endpoint did not respond in time. Confirm the realm URL is reachable, then Refresh. |
| Register Test Client returns an error | DCR could not register a client. Check the DCR Client ID and DCR Client Secret, and that the client is allowed to register clients on your realm. |