{"id":51795,"date":"2025-08-22T06:31:28","date_gmt":"2025-08-22T06:31:28","guid":{"rendered":"https:\/\/www.devopsschool.com\/blog\/?p=51795"},"modified":"2026-02-21T08:07:06","modified_gmt":"2026-02-21T08:07:06","slug":"keycloak-keycloak-and-kc-sh-command-complete-guide","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/blog\/keycloak-keycloak-and-kc-sh-command-complete-guide\/","title":{"rendered":"keycloak: keycloak and kc.sh command &#8211; Complete Guide"},"content":{"rendered":"\n<p>Here\u2019s a clean, up-to-date, \u201ceverything you need\u201d CLI guide you can keep nearby. I\u2019ll cover:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>kc.sh<\/code> (the Keycloak server CLI): every top-level command, what it does, the important options, and runnable examples<\/li>\n\n\n\n<li>How options work (file vs env vs CLI) and where to find the <strong>full<\/strong> option list<\/li>\n\n\n\n<li>The two helper CLIs you\u2019ll use a lot: <code>kcadm.sh<\/code> (Admin CLI) and <code>kcreg.sh<\/code> (Client Registration)<\/li>\n<\/ul>\n\n\n\n<p>I\u2019m using Keycloak 26.x syntax (matches the 26.3.x you\u2019re running).<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h1 class=\"wp-block-heading\">kc.sh \u2014 Keycloak server CLI<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">Where the scripts live<\/h2>\n\n\n\n<p><code>$KEYCLOAK_HOME\/bin<\/code> contains:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>kc.sh<\/code> \/ <code>kc.bat<\/code> \u2013 server CLI<\/li>\n\n\n\n<li><code>kcadm.sh<\/code> \u2013 Admin CLI<\/li>\n\n\n\n<li><code>kcreg.sh<\/code> \u2013 Client Registration CLI. (<a href=\"https:\/\/www.keycloak.org\/server\/directory-structure?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener\">Keycloak<\/a>)<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Top-level commands (what they do)<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Command<\/th><th>What it\u2019s for<\/th><\/tr><\/thead><tbody><tr><td><code>start-dev<\/code><\/td><td>Quick \u201cdeveloper mode\u201d server (HTTP on 8080, relaxed checks). Not for production. (<a href=\"https:\/\/www.keycloak.org\/getting-started\/getting-started-zip?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener\">Keycloak<\/a>)<\/td><\/tr><tr><td><code>start<\/code><\/td><td>Secure, production mode server. You supply TLS\/hostname\/proxy\/etc. (<a href=\"https:\/\/docs.redhat.com\/en\/documentation\/red_hat_build_of_keycloak\/22.0\/html\/server_guide\/configuration-?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener\">Red Hat Docs<\/a>)<\/td><\/tr><tr><td><code>build<\/code><\/td><td>Pre-build the distribution with your settings\/features so <code>start --optimized<\/code> is super fast. (<a href=\"https:\/\/docs.redhat.com\/en\/documentation\/red_hat_build_of_keycloak\/22.0\/html\/server_guide\/configuration-?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener\">Red Hat Docs<\/a>)<\/td><\/tr><tr><td><code>show-config<\/code><\/td><td>Print the effective config and where each value came from (file\/env\/CLI). Great for debugging. (<a href=\"https:\/\/docs.redhat.com\/en\/documentation\/red_hat_build_of_keycloak\/22.0\/html\/migration_guide\/migrating-server?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener\">Red Hat Docs<\/a>)<\/td><\/tr><tr><td><code>import<\/code><\/td><td>Import realms (JSON\/Dir) into the DB.<\/td><\/tr><tr><td><code>export<\/code><\/td><td>Export realms to files\/dir.<\/td><\/tr><tr><td><code>bootstrap-admin<\/code><\/td><td>Create or recover the initial admin user offline. (<a href=\"https:\/\/docs.redhat.com\/en\/documentation\/red_hat_build_of_keycloak\/22.0\/html\/server_guide\/configuration-?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener\">Red Hat Docs<\/a>)<\/td><\/tr><tr><td><code>help<\/code><\/td><td>Built-in help for any command (e.g., <code>kc.sh start --help<\/code>).<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\ud83d\udd0e The <strong>complete<\/strong> set of runtime\/build properties you can pass to <code>kc.sh<\/code> is on the \u201cAll configuration\u201d page. Every property there works as: <code>--property=value<\/code> (CLI) or <code>KC_PROPERTY=value<\/code> (env) or in <code>conf\/keycloak.conf<\/code>. This is the canonical \u201cno-options-missing\u201d reference. (<a href=\"https:\/\/www.keycloak.org\/server\/all-config?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener\">Keycloak<\/a>)<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\">How configuration works (and precedence)<\/h2>\n\n\n\n<p>You can configure Keycloak in three ways:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Config file<\/strong>: <code>conf\/keycloak.conf<\/code><\/li>\n\n\n\n<li><strong>Environment variables<\/strong>: <code>KC_*<\/code> (e.g., <code>KC_DB=mariadb<\/code>)<\/li>\n\n\n\n<li><strong>CLI<\/strong>: <code>--db=mariadb --http-port=8180 ...<\/code><\/li>\n<\/ol>\n\n\n\n<p><strong>Precedence<\/strong> for a property is: <strong>CLI &gt; Env &gt; Config file<\/strong>. You can also point to a custom file with <code>--config-file=\/path\/to\/my.conf<\/code>. (<a href=\"https:\/\/docs.redhat.com\/en\/documentation\/red_hat_build_of_keycloak\/22.0\/html\/server_guide\/configuration-?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener\">Red Hat Docs<\/a>)<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\">Databases (incl. MariaDB over UNIX socket)<\/h2>\n\n\n\n<p>Key DB knobs you\u2019ll use:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>--db=&lt;vendor&gt;<\/code> (env: <code>KC_DB<\/code>) \u2013 <code>mariadb<\/code>, <code>mysql<\/code>, <code>postgres<\/code>, <code>mssql<\/code>, <code>oracle<\/code>, <code>h2(dev only)<\/code><\/li>\n\n\n\n<li>Either <strong>compose<\/strong> the URL from parts:\n<ul class=\"wp-block-list\">\n<li><code>--db-url-host<\/code>, <code>--db-url-port<\/code>, <code>--db-url-database<\/code><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Or<\/strong> give a full JDBC URL with <code>--db-url<\/code> (env: <code>KC_DB_URL<\/code>) when you need special params (like a socket)<\/li>\n\n\n\n<li>Credentials: <code>--db-username<\/code>, <code>--db-password<\/code> (env: <code>KC_DB_USERNAME<\/code>, <code>KC_DB_PASSWORD<\/code>)<\/li>\n\n\n\n<li>Pool: <code>--db-pool-initial-size<\/code>, <code>--db-pool-min-size<\/code>, <code>--db-pool-max-size<\/code>, etc.<br>(All properties live on \u201cAll configuration\u201d). (<a href=\"https:\/\/www.keycloak.org\/server\/all-config?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener\">Keycloak<\/a>)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">MariaDB via UNIX socket (what you used)<\/h3>\n\n\n\n<p>With the MariaDB JDBC driver you can connect locally using <code>localSocket<\/code>:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-1\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\"><span class=\"hljs-keyword\">export<\/span> KC_DB=mariadb\n<span class=\"hljs-keyword\">export<\/span> KC_DB_URL=<span class=\"hljs-string\">'jdbc:mariadb:\/\/localhost:3306\/keycloak_db?localSocket=\/opt\/lampp\/var\/mysql\/mysql.sock'<\/span>\n<span class=\"hljs-keyword\">export<\/span> KC_DB_USERNAME=<span class=\"hljs-string\">'root'<\/span>\n<span class=\"hljs-keyword\">export<\/span> KC_DB_PASSWORD=<span class=\"hljs-string\">'your-password'<\/span>\nbin\/kc.sh start-dev\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-1\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p><code>localSocket<\/code> is a MariaDB Connector\/J property enabling UNIX domain socket connections. (This is supported by <strong>MariaDB<\/strong>\u2019s driver, not MySQL\u2019s). (<a href=\"https:\/\/github.com\/microsoft\/mariadb-connector-j\/blob\/master\/documentation\/use-mariadb-connector-j-driver.creole?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener\">GitHub<\/a>, <a href=\"https:\/\/stackoverflow.com\/questions\/25918416\/jdbc-mysql-connection-using-unix-socket?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener\">Stack Overflow<\/a>)<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>Tip: If you\u2019d rather use TCP, drop <code>localSocket<\/code> and ensure MySQL\/MariaDB is listening on <code>127.0.0.1:3306<\/code>, then use a normal URL.<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\">Command-by-command details &amp; examples<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">1) <code>start-dev<\/code> (developer mode)<\/h3>\n\n\n\n<p>Fastest way to run locally. HTTP only, permissive defaults.<\/p>\n\n\n\n<p><strong>Common options you\u2019ll actually use here<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Port: <code>--http-port=8080<\/code><\/li>\n\n\n\n<li>Bind: <code>--hostname=localhost<\/code> (dev ignores strict hostname checks)<\/li>\n\n\n\n<li>DB: same flags as <code>start<\/code> (see DB section)<\/li>\n<\/ul>\n\n\n\n<p><strong>Example (your working socket setup)<\/strong><\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-2\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\"><span class=\"hljs-keyword\">export<\/span> KC_DB=mariadb\n<span class=\"hljs-keyword\">export<\/span> KC_DB_URL=<span class=\"hljs-string\">'jdbc:mariadb:\/\/localhost:3306\/keycloak_db?localSocket=\/opt\/lampp\/var\/mysql\/mysql.sock'<\/span>\n<span class=\"hljs-keyword\">export<\/span> KC_DB_USERNAME=<span class=\"hljs-string\">'root'<\/span>\n<span class=\"hljs-keyword\">export<\/span> KC_DB_PASSWORD=<span class=\"hljs-string\">'your-password'<\/span>\n\nbin\/kc.sh start-dev\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-2\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p>What dev mode is and how to use it: (<a href=\"https:\/\/www.keycloak.org\/getting-started\/getting-started-zip?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener\">Keycloak<\/a>)<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h3 class=\"wp-block-heading\">2) <code>start<\/code> (production mode)<\/h3>\n\n\n\n<p>Secure defaults, requires proper hostname\/proxy\/TLS.<\/p>\n\n\n\n<p><strong>Popular runtime options<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>HTTP\/HTTPS<\/strong>\n<ul class=\"wp-block-list\">\n<li><code>--http-enabled=false<\/code> (default), <code>--https-port=8443<\/code><\/li>\n\n\n\n<li><code>--https-certificate-file=\/path\/cert.pem<\/code><\/li>\n\n\n\n<li><code>--https-certificate-key-file=\/path\/key.pem<\/code><\/li>\n\n\n\n<li><code>--https-protocols=TLSv1.3,TLSv1.2<\/code> (enable a specific set) (<a href=\"https:\/\/docs.redhat.com\/en\/documentation\/red_hat_build_of_keycloak\/24.0\/html-single\/server_guide\/index?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener\">Red Hat Docs<\/a>)<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Hostname \/ proxy<\/strong>\n<ul class=\"wp-block-list\">\n<li><code>--hostname=auth.example.com<\/code><\/li>\n\n\n\n<li><code>--proxy=edge|reencrypt|passthrough<\/code><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Database<\/strong> \u2013 same as above<\/li>\n\n\n\n<li><strong>Logging<\/strong> (level\/category), metrics\/health, etc. (see \u201cAll configuration\u201d) (<a href=\"https:\/\/www.keycloak.org\/server\/all-config?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener\">Keycloak<\/a>)<\/li>\n<\/ul>\n\n\n\n<p><strong>Example (TLS on 8443 with MariaDB TCP):<\/strong><\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-3\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">bin\/kc.sh start \n  --hostname=auth.example.com \n  --https-port=<span class=\"hljs-number\">8443<\/span> \n  --https-certificate-file=<span class=\"hljs-regexp\">\/etc\/<\/span>ssl\/certs\/fullchain.pem \n  --https-certificate-key-file=<span class=\"hljs-regexp\">\/etc\/<\/span>ssl\/private\/privkey.pem \n  --db=mariadb \n  --db-username=kc_user \n  --db-password=kc_secret \n  --db-url-host=<span class=\"hljs-number\">127.0<\/span><span class=\"hljs-number\">.0<\/span><span class=\"hljs-number\">.1<\/span> \n  --db-url-port=<span class=\"hljs-number\">3306<\/span> \n  --db-url-database=keycloak_db\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-3\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h3 class=\"wp-block-heading\">3) <code>build<\/code> (pre-compute + bake options)<\/h3>\n\n\n\n<p>\u201cBakes\u201d build-time options so production starts much faster.<\/p>\n\n\n\n<p><strong>Typical uses<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Pin the DB vendor: <code>bin\/kc.sh build --db=mariadb<\/code><\/li>\n\n\n\n<li>Toggle features: <code>--features=token-exchange,admin-fine-grained-authz<\/code><\/li>\n\n\n\n<li>Remove defaults: <code>--features-disabled=impersonation<\/code><\/li>\n<\/ul>\n\n\n\n<p>After building, start with: <code>bin\/kc.sh start --optimized ...<\/code> (<a href=\"https:\/\/docs.redhat.com\/en\/documentation\/red_hat_build_of_keycloak\/22.0\/html\/server_guide\/configuration-?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener\">Red Hat Docs<\/a>, <a href=\"https:\/\/www.keycloak.org\/server\/features?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener\">Keycloak<\/a>)<\/p>\n\n\n\n<p><strong>Example<\/strong><\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">bin\/kc.sh build \n  --db=mariadb \n  --features=token-exchange \n  --features-disabled=impersonation\n\nbin\/kc.sh start --optimized --hostname=auth.example.com\n<\/code><\/span><\/pre>\n\n\n<p>(Features are enabled\/disabled via <code>--features<\/code> \/ <code>--features-disabled<\/code>; see the features guide &amp; all-config.) (<a href=\"https:\/\/www.keycloak.org\/server\/features?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener\">Keycloak<\/a>)<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h3 class=\"wp-block-heading\">4) <code>show-config<\/code><\/h3>\n\n\n\n<p>Prints the effective configuration and the <strong>source<\/strong> of each setting (CLI\/env\/file). Super useful when a value isn\u2019t sticking.<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">bin\/kc.sh show-config\n<\/code><\/span><\/pre>\n\n\n<p>Troubleshooting hint from RH docs (also: <code>kc.sh --verbose start<\/code> for full stacktraces). (<a href=\"https:\/\/docs.redhat.com\/en\/documentation\/red_hat_build_of_keycloak\/22.0\/html\/migration_guide\/migrating-server?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener\">Red Hat Docs<\/a>)<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h3 class=\"wp-block-heading\">5) <code>import<\/code><\/h3>\n\n\n\n<p>Load realms from JSON\/dir into your DB.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Common flags (run <code>--help<\/code> for your exact build):\n<ul class=\"wp-block-list\">\n<li><code>--file=\/path\/realm.json<\/code> <strong>or<\/strong> <code>--dir=\/path\/realms\/<\/code><\/li>\n\n\n\n<li><code>--realm=myrealm<\/code> (limit import to one realm inside the file\/dir)<\/li>\n\n\n\n<li>There may be options for strategy\/overwrite depending on version.<br>The official guide shows examples and the <code>import<\/code> command.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p><strong>Example<\/strong><\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-4\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">bin\/kc.sh <span class=\"hljs-keyword\">import<\/span> --dir=<span class=\"hljs-regexp\">\/opt\/<\/span>keycloak\/imports\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-4\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>Note: <code>import<\/code> may not support <code>--verbose<\/code>; use logs + <code>--help<\/code>. (<a href=\"https:\/\/github.com\/keycloak\/keycloak\/issues\/11948?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener\">GitHub<\/a>)<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h3 class=\"wp-block-heading\">6) <code>export<\/code><\/h3>\n\n\n\n<p>Dump realms to files (good for backups\/migrations).<\/p>\n\n\n\n<p><strong>Examples<\/strong> (see guide for usage):<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-5\" data-shcb-language-name=\"PHP\" data-shcb-language-slug=\"php\"><span><code class=\"hljs language-php\"><span class=\"hljs-comment\"># export all realms to a directory<\/span>\nbin\/kc.sh export --dir=\/<span class=\"hljs-keyword\">var<\/span>\/backups\/keycloak-realms\n\n<span class=\"hljs-comment\"># export a single realm to file<\/span>\nbin\/kc.sh export --realm=myrealm --file=\/<span class=\"hljs-keyword\">var<\/span>\/backups\/myrealm.json\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-5\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">PHP<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">php<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p>(Export\/import commands are described alongside start\/build in the CLI guide page.)<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h3 class=\"wp-block-heading\">7) <code>bootstrap-admin<\/code><\/h3>\n\n\n\n<p>Create\/recover the admin account offline. Handy if you didn\u2019t set <code>KC_BOOTSTRAP_ADMIN_USERNAME\/PASSWORD<\/code> before first start, or you lost admin access.<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-6\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">bin\/kc.sh bootstrap-admin --user admin --password <span class=\"hljs-string\">'Str0ngP@ss!'<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-6\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p>Full details &amp; recovery flow: (<a href=\"https:\/\/docs.redhat.com\/en\/documentation\/red_hat_build_of_keycloak\/22.0\/html\/server_guide\/configuration-?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener\">Red Hat Docs<\/a>)<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\">A few more useful knobs (by category)<\/h2>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>For a <strong>complete, authoritative<\/strong> list, use the <strong>All configuration<\/strong> page (every property there works as CLI\/env\/file). I\u2019m just surfacing common ones here. (<a href=\"https:\/\/www.keycloak.org\/server\/all-config?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener\">Keycloak<\/a>)<\/p>\n<\/blockquote>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>HTTP\/HTTPS<\/strong>: <code>--http-enabled<\/code>, <code>--http-port<\/code>, <code>--https-port<\/code>, <code>--https-certificate-file<\/code>, <code>--https-certificate-key-file<\/code>, <code>--https-trust-store<\/code>, <code>--https-protocols<\/code> (TLS versions) (<a href=\"https:\/\/docs.redhat.com\/en\/documentation\/red_hat_build_of_keycloak\/24.0\/html-single\/server_guide\/index?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener\">Red Hat Docs<\/a>)<\/li>\n\n\n\n<li><strong>Hostname \/ proxy<\/strong>: <code>--hostname<\/code>, <code>--proxy<\/code><\/li>\n\n\n\n<li><strong>Logging<\/strong>: <code>--log-level=INFO|DEBUG|TRACE<\/code>, <code>--log<\/code> category options<\/li>\n\n\n\n<li><strong>Health\/metrics<\/strong>: <code>--health-enabled=true<\/code>, <code>--metrics-enabled=true<\/code><\/li>\n\n\n\n<li><strong>Feature toggles<\/strong>: <code>--features=...<\/code>, <code>--features-disabled=...<\/code> (<a href=\"https:\/\/www.keycloak.org\/server\/features?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener\">Keycloak<\/a>)<\/li>\n\n\n\n<li><strong>Config file\/keystore<\/strong>: <code>--config-file<\/code>, <code>--config-keystore<\/code>, <code>--config-keystore-password<\/code>, <code>--config-keystore-type<\/code> (PKCS12\/JCEKS) (<a href=\"https:\/\/docs.redhat.com\/en\/documentation\/red_hat_build_of_keycloak\/22.0\/html\/server_guide\/configuration-?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener\">Red Hat Docs<\/a>)<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h1 class=\"wp-block-heading\">Admin CLI (<code>kcadm.sh<\/code>) \u2013 quick cookbook<\/h1>\n\n\n\n<p>Use it to automate anything you can do in the Admin Console (it talks to the Admin REST API). Docs &amp; examples: Server Admin Guide + Admin CLI docs. (<a href=\"https:\/\/www.keycloak.org\/docs\/latest\/server_admin\/index.html?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener\">Keycloak<\/a>, <a href=\"https:\/\/wjw465150.gitbooks.io\/keycloak-documentation\/content\/server_admin\/topics\/admin-cli.html?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener\">wjw465150.gitbooks.io<\/a>)<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Log in (create a session)<\/h3>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-7\" data-shcb-language-name=\"PHP\" data-shcb-language-slug=\"php\"><span><code class=\"hljs language-php\">bin\/kcadm.sh config credentials \n  --server http:<span class=\"hljs-comment\">\/\/localhost:8080 <\/span>\n  --realm master \n  --user admin\n<span class=\"hljs-comment\"># prompts for password<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-7\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">PHP<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">php<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<h3 class=\"wp-block-heading\">Realm CRUD<\/h3>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-8\" data-shcb-language-name=\"PHP\" data-shcb-language-slug=\"php\"><span><code class=\"hljs language-php\"><span class=\"hljs-comment\"># create a realm from JSON<\/span>\nbin\/kcadm.sh create realms -f realm.json\n\n<span class=\"hljs-comment\"># list realms<\/span>\nbin\/kcadm.sh get realms\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-8\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">PHP<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">php<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<h3 class=\"wp-block-heading\">Users<\/h3>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-9\" data-shcb-language-name=\"PHP\" data-shcb-language-slug=\"php\"><span><code class=\"hljs language-php\"><span class=\"hljs-comment\"># create a user<\/span>\nbin\/kcadm.sh create users -r myrealm -s username=alice -s enabled=<span class=\"hljs-keyword\">true<\/span>\n\n<span class=\"hljs-comment\"># set a password<\/span>\nUSER_ID=$(bin\/kcadm.sh get users -r myrealm -q username=alice --fields id | jq -r <span class=\"hljs-string\">'.&#91;0].id'<\/span>)\nbin\/kcadm.sh set-password -r myrealm --userid <span class=\"hljs-string\">\"$USER_ID\"<\/span> --<span class=\"hljs-keyword\">new<\/span>-password <span class=\"hljs-string\">'Sup3rSecret!'<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-9\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">PHP<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">php<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<h3 class=\"wp-block-heading\">Clients<\/h3>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-10\" data-shcb-language-name=\"PHP\" data-shcb-language-slug=\"php\"><span><code class=\"hljs language-php\"><span class=\"hljs-comment\"># create a client<\/span>\nbin\/kcadm.sh create clients -r myrealm \n  -s clientId=my-app \n  -s publicClient=<span class=\"hljs-keyword\">false<\/span> \n  -s protocol=openid-connect \n  -s <span class=\"hljs-string\">'redirectUris=&#91;\"https:\/\/app.example.com\/*\"]'<\/span>\n\n<span class=\"hljs-comment\"># get client details<\/span>\nbin\/kcadm.sh get clients -r myrealm -q clientId=my-app\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-10\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">PHP<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">php<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p>(There are many resources: realms, users, groups, roles, clients, idps\u2026 <code>kcadm.sh help<\/code> shows usage; the REST model matches the Admin REST API.) (<a href=\"https:\/\/www.keycloak.org\/docs\/latest\/server_admin\/index.html?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener\">Keycloak<\/a>)<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h1 class=\"wp-block-heading\">Client Registration CLI (<code>kcreg.sh<\/code>) \u2013 quick cookbook<\/h1>\n\n\n\n<p>Use it to <strong>self-register clients<\/strong> via the Client Registration endpoints. Great for CI when apps need to provision themselves. Docs &amp; patterns: client registration guide. (<a href=\"https:\/\/www.keycloak.org\/securing-apps\/client-registration?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener\">Keycloak<\/a>)<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Configure credentials once<\/h3>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-11\" data-shcb-language-name=\"PHP\" data-shcb-language-slug=\"php\"><span><code class=\"hljs language-php\">bin\/kcreg.sh config credentials \n  --server http:<span class=\"hljs-comment\">\/\/localhost:8080 <\/span>\n  --realm myrealm \n  --user admin\n<span class=\"hljs-comment\"># prompts for password<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-11\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">PHP<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">php<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<h3 class=\"wp-block-heading\">Create a client<\/h3>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-12\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">bin\/kcreg.sh create \n  -s clientId=my_client \n  -s publicClient=<span class=\"hljs-literal\">false<\/span> \n  -s <span class=\"hljs-string\">'redirectUris=&#91;\"https:\/\/app.example.com\/*\"]'<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-12\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<h3 class=\"wp-block-heading\">Read \/ update \/ delete<\/h3>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-13\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">bin\/kcreg.sh <span class=\"hljs-keyword\">get<\/span> my_client\nbin\/kcreg.sh <span class=\"hljs-keyword\">get<\/span> my_client &gt; my_client.json\njq '.standardFlowEnabled=true' my_client.json &gt; my_client2.json\nbin\/kcreg.sh update my_client -f my_client2.json\nbin\/kcreg.sh delete my_client\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-13\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p>(You can also output <code>-e install<\/code> to generate adapter config.) (<a href=\"https:\/\/www.keycloak.org\/docs\/25.0.6\/securing_apps\/index.html?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener\">Keycloak<\/a>)<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h1 class=\"wp-block-heading\">A few \u201cput-it-all-together\u201d scenarios<\/h1>\n\n\n\n<h3 class=\"wp-block-heading\">A) Your LAMPP\/MariaDB (UNIX socket) dev setup<\/h3>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-14\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\"><span class=\"hljs-keyword\">export<\/span> KC_DB=mariadb\n<span class=\"hljs-keyword\">export<\/span> KC_DB_URL=<span class=\"hljs-string\">'jdbc:mariadb:\/\/localhost:3306\/keycloak_db?localSocket=\/opt\/lampp\/var\/mysql\/mysql.sock'<\/span>\n<span class=\"hljs-keyword\">export<\/span> KC_DB_USERNAME=<span class=\"hljs-string\">'root'<\/span>\n<span class=\"hljs-keyword\">export<\/span> KC_DB_PASSWORD=<span class=\"hljs-string\">'your-password'<\/span>\nbin\/kc.sh start-dev\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-14\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p>(Uses MariaDB Connector\/J\u2019s <code>localSocket<\/code> property). (<a href=\"https:\/\/github.com\/microsoft\/mariadb-connector-j\/blob\/master\/documentation\/use-mariadb-connector-j-driver.creole?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener\">GitHub<\/a>)<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">B) Build once, start optimized in prod<\/h3>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-15\" data-shcb-language-name=\"PHP\" data-shcb-language-slug=\"php\"><span><code class=\"hljs language-php\"><span class=\"hljs-comment\"># one-time build<\/span>\nbin\/kc.sh build --db=mariadb --features=token-exchange\n\n<span class=\"hljs-comment\"># fast starts afterwards<\/span>\nbin\/kc.sh start --optimized \n  --hostname=auth.example.com \n  --https-port=<span class=\"hljs-number\">8443<\/span> \n  --https-certificate-file=\/etc\/ssl\/certs\/fullchain.pem \n  --https-certificate-key-file=\/etc\/ssl\/<span class=\"hljs-keyword\">private<\/span>\/privkey.pem\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-15\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">PHP<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">php<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p>(<a href=\"https:\/\/docs.redhat.com\/en\/documentation\/red_hat_build_of_keycloak\/22.0\/html\/server_guide\/configuration-?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener\">Red Hat Docs<\/a>, <a href=\"https:\/\/www.keycloak.org\/server\/features?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener\">Keycloak<\/a>)<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">C) Export \/ Import realms<\/h3>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-16\" data-shcb-language-name=\"PHP\" data-shcb-language-slug=\"php\"><span><code class=\"hljs language-php\"><span class=\"hljs-comment\"># export everything<\/span>\nbin\/kc.sh export --dir=\/<span class=\"hljs-keyword\">var<\/span>\/backups\/kc-$(date +%F)\n\n<span class=\"hljs-comment\"># import later (e.g., into a new server)<\/span>\nbin\/kc.sh import --dir=\/<span class=\"hljs-keyword\">var<\/span>\/backups\/kc<span class=\"hljs-number\">-2025<\/span><span class=\"hljs-number\">-08<\/span><span class=\"hljs-number\">-22<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-16\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">PHP<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">php<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\">Where to find <strong>every single<\/strong> option<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>All configuration<\/strong> \u2014 authoritative list of <strong>every<\/strong> property\/flag (runtime &amp; build). If it\u2019s not on this page, it doesn\u2019t exist. Use it as your \u201ccomplete options\u201d reference. (<a href=\"https:\/\/www.keycloak.org\/server\/all-config?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener\">Keycloak<\/a>)<\/li>\n\n\n\n<li><strong>Configuring Keycloak<\/strong> \u2014 how config sources &amp; formats work; examples of <code>--config-file<\/code>, keystores, etc. (<a href=\"https:\/\/www.keycloak.org\/server\/configuration?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener\">Keycloak<\/a>, <a href=\"https:\/\/docs.redhat.com\/en\/documentation\/red_hat_build_of_keycloak\/22.0\/html\/server_guide\/configuration-?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener\">Red Hat Docs<\/a>)<\/li>\n\n\n\n<li><strong>Enabling\/disabling features<\/strong> \u2014 how <code>--features<\/code> \/ <code>--features-disabled<\/code> behave and examples. (<a href=\"https:\/\/www.keycloak.org\/server\/features?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener\">Keycloak<\/a>)<\/li>\n\n\n\n<li><strong>Start from the command line<\/strong> \u2014 shows the <code>start<\/code>, <code>start-dev<\/code>, <code>build<\/code>, <code>show-config<\/code>, <code>import<\/code>, <code>export<\/code>, <code>help<\/code> commands in one place.<\/li>\n\n\n\n<li><strong>Bootstrap admin<\/strong> \u2014 creating\/recovering the admin account. (<a href=\"https:\/\/docs.redhat.com\/en\/documentation\/red_hat_build_of_keycloak\/22.0\/html\/server_guide\/configuration-?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener\">Red Hat Docs<\/a>)<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Here\u2019s a clean, up-to-date, \u201ceverything you need\u201d CLI guide you can keep nearby. I\u2019ll cover: I\u2019m using Keycloak 26.x syntax (matches the 26.3.x you\u2019re running). kc.sh \u2014 Keycloak server CLI&#8230; <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"_joinchat":[],"footnotes":""},"categories":[2],"tags":[],"class_list":["post-51795","post","type-post","status-publish","format-standard","hentry","category-uncategorised"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/51795","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/comments?post=51795"}],"version-history":[{"count":2,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/51795\/revisions"}],"predecessor-version":[{"id":59468,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/51795\/revisions\/59468"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/media?parent=51795"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/categories?post=51795"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/tags?post=51795"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}