Hereโs a clean, up-to-date, โeverything you needโ CLI guide you can keep nearby. Iโll cover:
kc.sh(the Keycloak server CLI): every top-level command, what it does, the important options, and runnable examples- How options work (file vs env vs CLI) and where to find the full option list
- The two helper CLIs youโll use a lot:
kcadm.sh(Admin CLI) andkcreg.sh(Client Registration)
Iโm using Keycloak 26.x syntax (matches the 26.3.x youโre running).
kc.sh โ Keycloak server CLI
Where the scripts live
$KEYCLOAK_HOME/bin contains:
kc.sh/kc.batโ server CLIkcadm.shโ Admin CLIkcreg.shโ Client Registration CLI. (Keycloak)
Top-level commands (what they do)
| Command | What itโs for |
|---|---|
start-dev | Quick โdeveloper modeโ server (HTTP on 8080, relaxed checks). Not for production. (Keycloak) |
start | Secure, production mode server. You supply TLS/hostname/proxy/etc. (Red Hat Docs) |
build | Pre-build the distribution with your settings/features so start --optimized is super fast. (Red Hat Docs) |
show-config | Print the effective config and where each value came from (file/env/CLI). Great for debugging. (Red Hat Docs) |
import | Import realms (JSON/Dir) into the DB. |
export | Export realms to files/dir. |
bootstrap-admin | Create or recover the initial admin user offline. (Red Hat Docs) |
help | Built-in help for any command (e.g., kc.sh start --help). |
๐ The complete set of runtime/build properties you can pass to
kc.shis on the โAll configurationโ page. Every property there works as:--property=value(CLI) orKC_PROPERTY=value(env) or inconf/keycloak.conf. This is the canonical โno-options-missingโ reference. (Keycloak)
How configuration works (and precedence)
You can configure Keycloak in three ways:
- Config file:
conf/keycloak.conf - Environment variables:
KC_*(e.g.,KC_DB=mariadb) - CLI:
--db=mariadb --http-port=8180 ...
Precedence for a property is: CLI > Env > Config file. You can also point to a custom file with --config-file=/path/to/my.conf. (Red Hat Docs)
Databases (incl. MariaDB over UNIX socket)
Key DB knobs youโll use:
--db=<vendor>(env:KC_DB) โmariadb,mysql,postgres,mssql,oracle,h2(dev only)- Either compose the URL from parts:
--db-url-host,--db-url-port,--db-url-database
- Or give a full JDBC URL with
--db-url(env:KC_DB_URL) when you need special params (like a socket) - Credentials:
--db-username,--db-password(env:KC_DB_USERNAME,KC_DB_PASSWORD) - Pool:
--db-pool-initial-size,--db-pool-min-size,--db-pool-max-size, etc.
(All properties live on โAll configurationโ). (Keycloak)
MariaDB via UNIX socket (what you used)
With the MariaDB JDBC driver you can connect locally using localSocket:
export KC_DB=mariadb
export KC_DB_URL='jdbc:mariadb://localhost:3306/keycloak_db?localSocket=/opt/lampp/var/mysql/mysql.sock'
export KC_DB_USERNAME='root'
export KC_DB_PASSWORD='your-password'
bin/kc.sh start-dev
Code language: JavaScript (javascript)
localSocket is a MariaDB Connector/J property enabling UNIX domain socket connections. (This is supported by MariaDBโs driver, not MySQLโs). (GitHub, Stack Overflow)
Tip: If youโd rather use TCP, drop
localSocketand ensure MySQL/MariaDB is listening on127.0.0.1:3306, then use a normal URL.
Command-by-command details & examples
1) start-dev (developer mode)
Fastest way to run locally. HTTP only, permissive defaults.
Common options youโll actually use here
- Port:
--http-port=8080 - Bind:
--hostname=localhost(dev ignores strict hostname checks) - DB: same flags as
start(see DB section)
Example (your working socket setup)
export KC_DB=mariadb
export KC_DB_URL='jdbc:mariadb://localhost:3306/keycloak_db?localSocket=/opt/lampp/var/mysql/mysql.sock'
export KC_DB_USERNAME='root'
export KC_DB_PASSWORD='your-password'
bin/kc.sh start-dev
Code language: JavaScript (javascript)
What dev mode is and how to use it: (Keycloak)
2) start (production mode)
Secure defaults, requires proper hostname/proxy/TLS.
Popular runtime options
- HTTP/HTTPS
--http-enabled=false(default),--https-port=8443--https-certificate-file=/path/cert.pem--https-certificate-key-file=/path/key.pem--https-protocols=TLSv1.3,TLSv1.2(enable a specific set) (Red Hat Docs)
- Hostname / proxy
--hostname=auth.example.com--proxy=edge|reencrypt|passthrough
- Database โ same as above
- Logging (level/category), metrics/health, etc. (see โAll configurationโ) (Keycloak)
Example (TLS on 8443 with MariaDB TCP):
bin/kc.sh start
--hostname=auth.example.com
--https-port=8443
--https-certificate-file=/etc/ssl/certs/fullchain.pem
--https-certificate-key-file=/etc/ssl/private/privkey.pem
--db=mariadb
--db-username=kc_user
--db-password=kc_secret
--db-url-host=127.0.0.1
--db-url-port=3306
--db-url-database=keycloak_db
Code language: JavaScript (javascript)
3) build (pre-compute + bake options)
โBakesโ build-time options so production starts much faster.
Typical uses
- Pin the DB vendor:
bin/kc.sh build --db=mariadb - Toggle features:
--features=token-exchange,admin-fine-grained-authz - Remove defaults:
--features-disabled=impersonation
After building, start with: bin/kc.sh start --optimized ... (Red Hat Docs, Keycloak)
Example
bin/kc.sh build
--db=mariadb
--features=token-exchange
--features-disabled=impersonation
bin/kc.sh start --optimized --hostname=auth.example.com
(Features are enabled/disabled via --features / --features-disabled; see the features guide & all-config.) (Keycloak)
4) show-config
Prints the effective configuration and the source of each setting (CLI/env/file). Super useful when a value isnโt sticking.
bin/kc.sh show-config
Troubleshooting hint from RH docs (also: kc.sh --verbose start for full stacktraces). (Red Hat Docs)
5) import
Load realms from JSON/dir into your DB.
- Common flags (run
--helpfor your exact build):--file=/path/realm.jsonor--dir=/path/realms/--realm=myrealm(limit import to one realm inside the file/dir)- There may be options for strategy/overwrite depending on version.
The official guide shows examples and theimportcommand.
Example
bin/kc.sh import --dir=/opt/keycloak/imports
Code language: JavaScript (javascript)
Note:
importmay not support--verbose; use logs +--help. (GitHub)
6) export
Dump realms to files (good for backups/migrations).
Examples (see guide for usage):
# export all realms to a directory
bin/kc.sh export --dir=/var/backups/keycloak-realms
# export a single realm to file
bin/kc.sh export --realm=myrealm --file=/var/backups/myrealm.json
Code language: PHP (php)
(Export/import commands are described alongside start/build in the CLI guide page.)
7) bootstrap-admin
Create/recover the admin account offline. Handy if you didnโt set KC_BOOTSTRAP_ADMIN_USERNAME/PASSWORD before first start, or you lost admin access.
bin/kc.sh bootstrap-admin --user admin --password 'Str0ngP@ss!'
Code language: JavaScript (javascript)
Full details & recovery flow: (Red Hat Docs)
A few more useful knobs (by category)
For a complete, authoritative list, use the All configuration page (every property there works as CLI/env/file). Iโm just surfacing common ones here. (Keycloak)
- HTTP/HTTPS:
--http-enabled,--http-port,--https-port,--https-certificate-file,--https-certificate-key-file,--https-trust-store,--https-protocols(TLS versions) (Red Hat Docs) - Hostname / proxy:
--hostname,--proxy - Logging:
--log-level=INFO|DEBUG|TRACE,--logcategory options - Health/metrics:
--health-enabled=true,--metrics-enabled=true - Feature toggles:
--features=...,--features-disabled=...(Keycloak) - Config file/keystore:
--config-file,--config-keystore,--config-keystore-password,--config-keystore-type(PKCS12/JCEKS) (Red Hat Docs)
Admin CLI (kcadm.sh) โ quick cookbook
Use it to automate anything you can do in the Admin Console (it talks to the Admin REST API). Docs & examples: Server Admin Guide + Admin CLI docs. (Keycloak, wjw465150.gitbooks.io)
Log in (create a session)
bin/kcadm.sh config credentials
--server http://localhost:8080
--realm master
--user admin
# prompts for password
Code language: PHP (php)
Realm CRUD
# create a realm from JSON
bin/kcadm.sh create realms -f realm.json
# list realms
bin/kcadm.sh get realms
Code language: PHP (php)
Users
# create a user
bin/kcadm.sh create users -r myrealm -s username=alice -s enabled=true
# set a password
USER_ID=$(bin/kcadm.sh get users -r myrealm -q username=alice --fields id | jq -r '.[0].id')
bin/kcadm.sh set-password -r myrealm --userid "$USER_ID" --new-password 'Sup3rSecret!'
Code language: PHP (php)
Clients
# create a client
bin/kcadm.sh create clients -r myrealm
-s clientId=my-app
-s publicClient=false
-s protocol=openid-connect
-s 'redirectUris=["https://app.example.com/*"]'
# get client details
bin/kcadm.sh get clients -r myrealm -q clientId=my-app
Code language: PHP (php)
(There are many resources: realms, users, groups, roles, clients, idpsโฆ kcadm.sh help shows usage; the REST model matches the Admin REST API.) (Keycloak)
Client Registration CLI (kcreg.sh) โ quick cookbook
Use it to self-register clients via the Client Registration endpoints. Great for CI when apps need to provision themselves. Docs & patterns: client registration guide. (Keycloak)
Configure credentials once
bin/kcreg.sh config credentials
--server http://localhost:8080
--realm myrealm
--user admin
# prompts for password
Code language: PHP (php)
Create a client
bin/kcreg.sh create
-s clientId=my_client
-s publicClient=false
-s 'redirectUris=["https://app.example.com/*"]'
Code language: JavaScript (javascript)
Read / update / delete
bin/kcreg.sh get my_client
bin/kcreg.sh get my_client > my_client.json
jq '.standardFlowEnabled=true' my_client.json > my_client2.json
bin/kcreg.sh update my_client -f my_client2.json
bin/kcreg.sh delete my_client
Code language: JavaScript (javascript)
(You can also output -e install to generate adapter config.) (Keycloak)
A few โput-it-all-togetherโ scenarios
A) Your LAMPP/MariaDB (UNIX socket) dev setup
export KC_DB=mariadb
export KC_DB_URL='jdbc:mariadb://localhost:3306/keycloak_db?localSocket=/opt/lampp/var/mysql/mysql.sock'
export KC_DB_USERNAME='root'
export KC_DB_PASSWORD='your-password'
bin/kc.sh start-dev
Code language: JavaScript (javascript)
(Uses MariaDB Connector/Jโs localSocket property). (GitHub)
B) Build once, start optimized in prod
# one-time build
bin/kc.sh build --db=mariadb --features=token-exchange
# fast starts afterwards
bin/kc.sh start --optimized
--hostname=auth.example.com
--https-port=8443
--https-certificate-file=/etc/ssl/certs/fullchain.pem
--https-certificate-key-file=/etc/ssl/private/privkey.pem
Code language: PHP (php)
C) Export / Import realms
# export everything
bin/kc.sh export --dir=/var/backups/kc-$(date +%F)
# import later (e.g., into a new server)
bin/kc.sh import --dir=/var/backups/kc-2025-08-22
Code language: PHP (php)
Where to find every single option
- All configuration โ authoritative list of every property/flag (runtime & build). If itโs not on this page, it doesnโt exist. Use it as your โcomplete optionsโ reference. (Keycloak)
- Configuring Keycloak โ how config sources & formats work; examples of
--config-file, keystores, etc. (Keycloak, Red Hat Docs) - Enabling/disabling features โ how
--features/--features-disabledbehave and examples. (Keycloak) - Start from the command line โ shows the
start,start-dev,build,show-config,import,export,helpcommands in one place. - Bootstrap admin โ creating/recovering the admin account. (Red Hat Docs)
I’m Rajesh Kumar, a DevOps, SRE, DevSecOps, Cloud, and Platform Engineering expert passionate about sharing practical knowledge, real-world experiences, and industry best practices. I have worked at Cotocus and regularly write about technology, travel, investing, health, product reviews, and digital marketing through my various platforms.
I publish technical articles at DevOps School, travel stories at Holiday Landmark, stock market insights at Stocks Mantra, health and fitness guidance at My Medic Plus, product reviews at TrueReviewNow, and SEO and digital marketing strategies at Wizbrand.
Find Trusted Cardiac Hospitals
Compare heart hospitals by city and services โ all in one place.
Explore Hospitals