List User Permissions via Rest API

Hello, I’m new to keycloak.
I’have configured my realm and my client with some users that have a role with some permissions coupled.

I need, after user authentication (that I do correctly), to retrive via rest api the list of permissions associated to this user (via it’s role) to be able to develop the user interface of my webapp. (to show some menu functionality or not)

I’m reading the api documentation but I’have not found the right service yet.

Can you help me?
Thanks in advance.

Contemporary applications use OpenID Connect (OIDC) for authentication and OAuth 2.0 (scopes and claims) for authorization.

See: Angular, OAuth 2.0 and Keycloak

1 Like

Hello, I’m having the same issue, have you found a solution for this?

Yes, you have to consume this service: “…/protocol/openid-connect/token/introspect” that accept in input your authorization token. It’s return all the information you need.
More information in “Robinyo” response.

@martinor @Robinyo
I’m having some doubts, I did what @martinor said, called the introspect api but there is still not a list of permissions. I’m only having roles.

this is the response

"exp": 1594825689,

"iat": 1594825389,

"jti": "0e512591-0a52-4f53-8415-c7e511a9d500",

"iss": "http://localhost:8180/auth/realms/hello-world-authz",

"aud": "account",

"sub": "d200e07e-4ca4-4ddb-8a76-5b2f22c16415",

"typ": "Bearer",

"azp": "vanilla",

"session_state": "e47dd513-5739-4ca6-86d7-f537bd5a2bd4",

"name": "Beck Beckenbauer",

"given_name": "Beck",

"family_name": "Beckenbauer",

"preferred_username": "beck",

"email": "",

"email_verified": false,

"acr": "1",

"allowed-origins": [



"realm_access": {

    "roles": [

        "alice account role"



"resource_access": {

    "account": {

        "roles": [






    "vanilla": {

        "roles": [






"scope": "hello-vanilla-client-scope email profile",

"example_message": [

    "REALM_ROLE_alice account role"


"client_id": "vanilla",

"username": "beck",

"active": true


Btw, this user is assigned to two roles, those roles are related to two scopes which are related with 2 policies and 2 permissions.
But I’m not able to retrieve it.

I expect that permission to be related to client, resource and then permission…
Am I wrong??

1 Like