{"name":"Keycloak","slug":"keycloak","category":"auth","type":"self-hosted","website":"https://keycloak.org","pricing":"open-source","pricing_tiers":["Free (self-hosted)","Red Hat SSO (commercial support)"],"open_source":true,"self_hosted":true,"sdk_languages":["javascript","java","python","go"],"frameworks":[],"agent_features":{"agent_sdk":false,"token_delegation":true,"human_in_the_loop":false,"fga":false,"mcp_support":null,"async_authorization":false},"compliance":["gdpr"],"best_for":"Enterprise on-prem identity; legacy system integration; organizations standardized on Red Hat / Java stacks","limitations":"No agent SDK, no FGA, no human-in-the-loop; UI and developer experience are dated; heavy Java-based deployment","verified_by":"editorial","last_verified":"2026-04-17","source_urls":{"changelog":"https://www.keycloak.org/docs/latest/release_notes/index.html","pricing":"https://www.keycloak.org","docs":"https://www.keycloak.org/documentation"},"feature_labels":{"agent_sdk":"Dedicated SDK for agentic workflows — agent sessions, token lifecycle, and authorization requests","token_delegation":"Issue scoped tokens an agent can use downstream without exposing user credentials","human_in_the_loop":"Pause agent execution and require explicit user approval before proceeding","fga":"Fine-Grained Authorization — relationship-based or attribute-based access control, not just role-based","mcp_support":"Native OAuth/OIDC authorization layer for Model Context Protocol servers","async_authorization":"Non-blocking approval workflows — agent continues and gets notified when approval is granted"},"comparisons":[{"slug":"auth0-vs-keycloak","title":"Auth0 vs Keycloak","vs":"auth0"},{"slug":"clerk-vs-keycloak","title":"Clerk vs Keycloak","vs":"clerk"},{"slug":"cognito-vs-keycloak","title":"Amazon Cognito vs Keycloak","vs":"cognito"},{"slug":"descope-vs-keycloak","title":"Descope vs Keycloak","vs":"descope"},{"slug":"firebase-auth-vs-keycloak","title":"Firebase Auth vs Keycloak","vs":"firebase-auth"},{"slug":"keycloak-vs-ory","title":"Keycloak vs Ory","vs":"ory"},{"slug":"keycloak-vs-stytch","title":"Keycloak vs Stytch","vs":"stytch"},{"slug":"keycloak-vs-supabase-auth","title":"Keycloak vs Supabase Auth","vs":"supabase-auth"},{"slug":"keycloak-vs-workos","title":"Keycloak vs WorkOS","vs":"workos"}],"body":"# Keycloak\n\nKeycloak is the default choice for organizations that need self-hosted identity and are already in the Red Hat or Java enterprise ecosystem. It's been around since 2013 and has broad adoption in financial services, healthcare, and government sectors.\n\nFor AI agents operating within enterprise on-prem environments where Keycloak is the existing identity provider, agents can use standard OAuth 2.0/OIDC flows to authenticate and obtain tokens. Token delegation (via Token Exchange) is supported.\n\nThe honest assessment for agentic development: Keycloak was not designed with AI agents in mind. There's no agent SDK, no FGA, no human-in-the-loop primitives, and the developer experience is significantly more friction than modern alternatives. It earns its place on this list because it's unavoidable in many enterprise environments — not because it's the best choice for new agent projects.\n\n**Agent-specific features:**\n- OAuth 2.0 / OIDC token issuance for agent authentication\n- Token Exchange (RFC 8693) for delegation flows\n- Standard M2M client credentials flow\n- Admin REST API for programmatic management"}