Do I need one or two clients for my SPA with Quarkus REST Backend? If so, how do I configure Keycloak?

I have a SPA (Vue.js) that communicates via REST with a Quarkus Resource API . I am using my own Keycloak for Authentication/Authorization .

I would like to protect my REST Endpoints with Roles so that only an admin can call my /admin endpoint.
I would also like to debug my backend application with Postman.

I have two clients (frontend & backend) in Keycloak in order to achieve this:


Client ID: frontend-client:
Access Type: public,
Standard Flow enabled

Client ID: backend-client:
Access Type confidential,
Service Accounts Enabled

Now my question: Do I really need two clients in KC? It seems to work just fine like this.
The client is authenticated by the frontend-client and then sends the obtained token to my API (which knows the URL to my Keycloak).

Following this guide I tried with a confidential client and a secret, but I don’t see the point of doing so :thinking:

Any help is appreciated.