Enable Authorization Services on the Keycloak client; create resource types, resource instances, and scopes in the Authorization tab of the client configuration
Define policies (role-based, attribute-based, JavaScript, or composite) and create permissions linking resources/scopes to policies in the Keycloak Authorization Services UI or via the Protection API
From the resource server, use the Keycloak Policy Enforcer (keycloak-policy-enforcer adapter or equivalent) to intercept requests and call the token introspection/RPT endpoint
To evaluate permissions programmatically, POST to /realms/{realm}/protocol/openid-connect/token with grant_type urn:ietf:params:oauth:grant-type:uma-ticket, audience (client_id), and the permission claim ({resource}#{scope})
The AS returns an RPT (Requesting Party Token) — a JWT containing the permissions grant; verify the RPT locally by checking its permissions array for the requested resource and scope
Use the Policy Evaluation UI (Realm > Clients > Authorization > Evaluate) for debugging; it shows which policies matched, which permissions were granted, and the evaluation decision
Known gotchas
The UMA ticket grant requires the client to be configured as a resource server with Authorization Services enabled — using a plain OIDC client will return an error on the ticket grant
Keycloak's JavaScript policies are evaluated server-side using GraalVM; subtle differences in JS engine behavior from browser JS can cause unexpected evaluation results — test policies in the Evaluate UI before deploying
Resource URIs used in permissions must match the URIs stored in Keycloak resources exactly; prefix-based matching is not automatic — use wildcards in the resource URI if you need path-prefix matching
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp