Keycloak Public facing


I am new to Keycloak. I am trying to user Keycloak to implement auth for an SPA (React) with a Graphql API. I have React front end performing the authentication and passing the access token to graphql. What I would like some direction on is, in this pattern, Keycloak would have to be public facing. Is this the correct implementation. I see this pattern being frequently used, however what is the best practice to secure Keycloak, in particular the admin console. I may be missing something but it seems like the admin console is just doing a basic auth. Any information or direction would be appreciated.