keycloak

Start Keycloak in development mode

$ kc.sh start-dev

$ kc.sh start --hostname=[auth.example.com]

$ kc.sh build

$ kc.sh export --dir [/export] --realm [myrealm]

$ kc.sh import --file [realm.json]

$ kc.sh start --help

$ kc.sh --version

kc.sh command [options]

kc.sh is the CLI for Keycloak, an open-source identity and access management solution. It manages server lifecycle, configuration, and data import/export.
Development mode (start-dev) runs with relaxed security for local testing. Production deployments use start after running build to optimize configuration. The build step creates a quarkus-based optimized distribution.
Keycloak supports SAML 2.0, OpenID Connect, OAuth 2.0, and LDAP/AD integration. It provides features like social login, user federation, fine-grained authorization, and multi-factor authentication.
The export and import commands transfer realm configurations including clients, roles, users, and authentication flows. Use these for backup, migration, or infrastructure-as-code workflows.
Configuration can be provided via command-line options, environment variables (KC_ prefix), or configuration files.

--hostname name

Public hostname for the server.

Hostname for admin console.

HTTP listen port. Default: 8080.

HTTPS listen port. Default: 8443.

Database vendor: dev-file, dev-mem, postgres, mysql, mariadb, mssql, oracle.

Full database JDBC URL.

Database username.

Database password.

Enable feature flags.

Enable health endpoints.

Enable metrics endpoint.

Proxy mode: edge, reencrypt, passthrough.

Log level: fatal, error, warn, info, debug, trace.

Display help information.

start

Start server in production mode (requires build).

Start in development mode with defaults.

Generate optimized server configuration.

Export realm data to file.

Import realm data from file.

Display current configuration.

Utility commands for completions and vault operations.

Production mode requires explicit hostname configuration and TLS setup. The build command must run before production start when configuration changes. Some options require restart. Database configuration differs significantly between development (H2) and production deployments.

Keycloak was created by Red Hat and first released in September 2014. It originated from PicketLink and became Red Hat's strategic identity solution. The project joined CNCF as an incubating project in 2023. Version 17 (2022) introduced Quarkus-based architecture replacing WildFly. Keycloak is widely deployed for enterprise SSO, API security, and user management.

authentik(1), authelia(1), vault(1)