Is it needed / helpful to hide specific endpoints in production?

I’m running a single Keycloak instance on Currently, the routing is configured that /auth/ directs to the Keycloak instance.

Therefore, I have some general questions for production setups:

  • Is it risky that the master realm is accessible externally?
  • Is there a list of endpoints that should not be exposed externally?
  • Any other critical settings that should be considered?

Thank you very much!