Make Every Token Smarter

Enhance the standard Keycloak access token structure with dynamic attributes—organization, roles, clearance, risk signals, or even delegated permissions. And expose them securely in introspection responses.

Enrich Token Payloads and Introspection Responses with Business Context

Why It Matters

Most applications rely on token content and introspection results for authorization decisions. However, default Keycloak tokens may lack the depth and business context required by modern IAM setups.

Keymate's Custom Token Introspector SPI enables:

Fine-grained enrichment of access tokens at issuance
Control over what's exposed during OAuth2 introspection
Dynamic token shaping based on session notes, external attributes, or runtime signals

Tokens That Reflect Reality

This extension allows you to inject real-time, scoped information into tokens, such as:

Token Enrichment and Introspection

Introspection endpoints also reflect this context securely, filtered by client and scope.

Example: Dynamically inject business context into tokens and introspection responses.

Key Components:

Organizational context (org, department, unit)

Delegated roles or impersonation context

Dynamic risk scores or fraud flags

Fine-grained user and resource metadata

Conditional flags (e.g., requiresMFA, limitedAccess)

Extension Highlights — What Makes It Unique

Access Token Enrichment

Inject runtime metadata into token claims at issuance

Introspection Response Control

Customize what gets exposed in token/introspect

Session Notes Integration

Dynamically read values stored during authentication

Organization & Delegation Aware

Supports enriched fields like org-unit, temporary role, delegation initiator

Token Scoping by Audience

Include or omit fields based on client scopes or audiences

Secure & Audit-Ready

Full traceability via OpenTelemetry and audit logs

Frequently Asked Questions

They don't support dynamic values from session notes or external APIs. This SPI does.

The extension lets you define safe output boundaries per client and per scope, avoiding overexposure.

Yes. It reads from session notes and maps delegation metadata into tokens and introspection responses.

Absolutely. Enriched tokens can feed directly into policy evaluation engines like OpenFGA.

How to Use This Extension

Implementation Steps

Deploy the custom SPI JAR into your Keycloak installation

Implement a custom class for token enrichment logic

Configure what should be injected and under what conditions

Optionally customize the introspection endpoint response

Use Keymate Admin Console to view and audit token enrichments

Connect enriched tokens to downstream API, FGA, and analytics systems

ELEVATE YOUR IAM STRATEGY

Ready to Transform Your Keycloak Experience?

Implement fine-grained authorization, multi-tenant infrastructure, and comprehensive security policies with Keymate — built on the Keycloak foundation you already trust.