Keycloak Metrics SPI Endpoint Protection

We recently got the metrics SPI installed on our development server so that our Prometheus instance can scrape from it. What immediately concerns us is that there doesn’t seem to be any way of protecting this endpoint from public access in a production environment.

Is there a way to specify the port for this SPI or make it that only an authenticated admin can access it?

Or would be have to put Keycloak behind a gateway?

Put it behind reverse proxy (nginx) and configure authorization for that metric endpoint on the proxy level. Don’t forget that each realm has this endpoint exposed.