Creating API token for server-to-server requests

Hello everyone,

we’re evaluating keycloak among other solutions and while the browser/app flow when the user has to login is quite clear, I’m trying to understand if it allows to generate API tokens for server-to-server requests.

What I think would be great is do what AWS does to have users sign ther requests:

  • have public/private tokens per user (even multiple ones)
  • token don’t have an expiration
  • requests can be be signed so can be generated on a server and used by anonymous users in a browser

I don’t think from my low knowledge of OpenID/Oauth that those can provide such approach for API calls. So my question is, can keycloak support such scenario? What’s the OpenID/Oauth way of dealing with server-to-server API calls?


Mentioned AWS key is not intended for server-to-server requests - you are still working with user (not machine) identity, so it isn’t good example.

OIDC provides Client Credentials flow, which you can use for server-to-server communication. It gives you service account identity and it is still standard OIDC token (= stateless verification, expiration, …).

Thanks for helping, so if I want to give an user an API key+secret I have to programmatically create a client and give him the client/secret to make API calls? Don’t do they still have to go through the authorization server (I’m just looking online at the OIDC flow)?

By server-to-server I mean API request on behalf of an user, sorry if I used the wrong words, in that case, is there a better approach?