Generate one time access token for external application users


We want to generate a one time access token with custom time validation to be able to register anonymous users in the app without the need of creating accounts (if possible)

Example: Registered user with admin privileges invites an external user to use the application. The external user receives an email with a link to access the app with restricted access and transferring some information in the access token (name, user_id, host_id…) and with a time validation of 7 days.
When the user access the token within the valid time period it will access the app without logging in (not filling a form) and able to perform some actions inside the app. When finished the link will be invalidated.


Configured Keycloack authentication with an application using OpenID Connect Code flow.


Some options have been studied with Keycloack but none of them allows to transfer information from the external user to the application and be able to generate one time access token with flexible time validation is problematic. Is there a way to achieve this with Keycloack?

Action tokens

Create custom action token with custom fields. Whenever an invitation is sent, creates user account in Keycloack and execute custom action token.


  • Need to create account for external user when we want some kind of “anonymous access”
  • How the user info can be transferred to the application?

Token Exchange

Generate access token for external user impersonating a user with limited privileges inside the app.


  • How the user info can be transferred to the application?
  • How we manage the token time validation and invalidate the token when the operation is completed?

Don’t use Keycloack

Don’t use Keycloack and manage this kind of flows inside the application (JWT tokens?)