Client Authorization always returns 403 using postman/curl

Hi I’m new to Keycloak,
I’m playing with authorization of client setup, so I spinned up a springboot app and setup some permissions and policies using admin console. Everything works fine using web browser with login.
Until I tried test using postman, that my request to any path of the backend service gives me 403.
My test is simple, grab access_token from the token endpoint

curl --location --request POST '
http://localhost:8080/realms/shawn/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'username=shawn' \
--data-urlencode 'password=123123123' \
--data-urlencode 'client_id=project-manager' \
--data-urlencode 'client_secret=vzHd5Rxahe8Z2B8AdgBBUVFteLHDANIc'

here’s my keycloak adapter properties

keycloak.realm = shawn
keycloak.auth-server-url =
keycloak.ssl-required = external
keycloak.resource = project-manager
keycloak.credentials.secret = 0tMmbJ156k1YHlYbeeTeaYk6aNrm88Hh

# Define authorization rules[0].authRoles[0]=Operator[0].authRoles[1]=Admin[0].securityCollections[0].patterns[0]=/resource1/*[0].securityCollections[0].patterns[1]=/resource2/*[0].securityCollections[1].patterns[0]=/resource2/*


any help would be much appreciated