GET /admin/api/{realmName}/clients/v2?q=<filter-expression>
| This feature is experimental and may introduce breaking changes in future versions of Keycloak. Do not use this feature in production environments. |
The Admin API v2 supports filtering clients using the q query parameter.
The filter syntax is a subset of the SCIM filter syntax defined in RFC 7644, Section 3.4.2.2. All string comparisons are case-sensitive.
GET /admin/api/{realmName}/clients/v2?q=<filter-expression>
String values must be enclosed in double quotes. Boolean values are unquoted.
GET /admin/api/{realmName}/clients/v2?q=clientId eq "my-app"
GET /admin/api/{realmName}/clients/v2?q=enabled eq true
The following comparison operators are supported for client filtering:
| Operator | Meaning | Example |
|---|---|---|
|
Equal |
|
|
Not equal |
|
|
Contains (substring) |
|
|
Starts with |
|
|
Ends with |
|
|
Present (field is not null) |
|
Logical operators (and, or, not) and parentheses for grouping are supported.
For the full syntax reference, including operator precedence and detailed examples, see the SCIM filtering guide in the Server Administration Guide.
|
The |
Only registered fields can be used in filter expressions. Using an unknown field returns HTTP 400, unlike the SCIM API which silently ignores unrecognized attributes.
| Field | Type | Description |
|---|---|---|
|
String |
Discriminator. Allowed values: |
|
String |
UUID generated by the server |
|
Boolean |
Whether this client is enabled |
|
String |
ID uniquely identifying this client |
|
String |
Human readable description of the client |
|
String |
Human readable name of the client |
|
String |
URL to the application’s homepage that is represented by this client |
|
Set<String> |
URIs that the browser can redirect to after login |
|
Set<String> |
Roles associated with this client |
|
Integer |
Timestamp when the client was created |
|
Integer |
Timestamp when the client was last updated |
These fields are available only for openid-connect clients.
They resolve to null for SAML clients, so value-based comparisons like eq, co, or sw will not match.
However, eq null and not … pr will match because the field is genuinely absent.
| Field | Type | Description |
|---|---|---|
|
Set<String> |
Login flows that are enabled for this client |
|
String |
Client authentication method (e.g. |
|
Set<String> |
Web origins that are allowed to make requests to this client |
|
Set<String> |
Roles assigned to the service account |
These fields are available only for saml clients.
They resolve to null for OIDC clients, so value-based comparisons like eq, co, or sw will not match.
However, eq null and not … pr will match because the field is genuinely absent.
| Field | Type | Description |
|---|---|---|
|
String |
Name ID format to use for the subject |
|
Boolean |
Force the specified Name ID format even if the client requests a different one |
|
Boolean |
Include AuthnStatement in the SAML response |
|
Boolean |
Sign SAML documents on the server side |
|
Boolean |
Sign SAML assertions |
|
Boolean |
Require client to sign SAML requests |
|
String |
Signature algorithm for signing SAML documents |
|
String |
Canonicalization method for XML signatures |
|
String |
X.509 certificate for signing (PEM format, without headers) |
|
Boolean |
Force POST binding for SAML responses |
|
Boolean |
Use front-channel logout (browser redirect) |
|
Boolean |
Allow ECP (Enhanced Client or Proxy) flow |
For fields that hold a collection of values (redirectUris, roles, loginFlows, webOrigins, serviceAccountRoles), the eq, co, sw, and ew operators match if any element in the collection satisfies the condition:
roles eq "admin" - matches clients that have a role named admin
redirectUris co "example.com" - matches clients with any redirect URI containing example.com
loginFlows eq "SERVICE_ACCOUNT" - matches OIDC clients with the service account flow enabled
The ne operator is the logical negation of eq: it matches if no element in the collection equals the value.
For example, roles ne "admin" matches clients that do not have a role named admin.
To match clients that have multiple values, combine conditions with and:
q=roles eq "admin" and roles eq "user"
Find all enabled OIDC clients:
GET /admin/api/{realmName}/clients/v2?q=protocol eq "openid-connect" and enabled eq true
Find clients with a description:
GET /admin/api/{realmName}/clients/v2?q=description pr
Find OIDC clients using client-secret authentication:
GET /admin/api/{realmName}/clients/v2?q=auth.method eq "client-secret"
Find SAML clients with document signing enabled:
GET /admin/api/{realmName}/clients/v2?q=signDocuments eq true
Find clients by display name prefix, excluding a specific protocol:
GET /admin/api/{realmName}/clients/v2?q=displayName sw "My" and protocol ne "saml"
Use the fields query parameter to include only specific fields in the response.
If omitted, all fields are returned.
GET /admin/api/{realmName}/clients/v2?fields=clientId,enabled,protocol
Filtering and projection can be combined. The filter evaluates against the full representation before projection is applied, so filtered fields do not need to be included in the projection:
GET /admin/api/{realmName}/clients/v2?q=enabled eq true&fields=clientId,displayName