What can be considered public API


we’ve got a migration project running here and are building an adapter that adapts an old proprietary api to oauth2. None of the existing java adapters does what we need for our use case. We now want to decide between 2 options

  • Use libraries and custom code to obtain and verify tokens (manual call to token endpoint with direct grant and something like jose4j to verify the tokens)
  • Use keycloak code to obtain and verify tokens

Now for the latter we would instantiate (via the builder) and use org.keycloak.adapters.KeycloakDeployment . We would also use org.keycloak.adapters.rotation.AdapterTokenVerifier .

Can those 2 classes be considered public api or should we keep our dirty long fingers off those?