List the active org's custom roles
Returns every role under /org-{kcOrgId}/, including the seeded admin and member built-ins (flagged with is_builtin=true). Each entry includes the resolved permission list and the count of users assigned to the role.
List the active org's custom roles › Responses
OK
assigned_countdescriptionidis_default_for_new_joinersis_systemnamepermissionsCreate a custom role
Creates a child group under /org-{kcOrgId}/ with the supplied permissions as client-role composites. Built-in names ("admin", "member") are reserved. Each permission must be in the catalog and assignable (not system-only).
Create a custom role › Responses
Created
assigned_countdescriptionidis_default_for_new_joinersis_systemnamepermissionsGet a single role by id
Returns one role's permission list + assignment count. 404 when the role belongs to a different organization (cross-tenant guard).
path Parameters
idKeycloak group UUID
Get a single role by id › Responses
OK
assigned_countdescriptionidis_default_for_new_joinersis_systemnamepermissionsUpdate a role's permissions or description
Replaces the role's composite client-role mappings with the supplied permission list. Bumps notBefore on every member of the group so the change reflects in their next refresh-token call. Built-ins cannot be modified.
path Parameters
idKeycloak group UUID
Update a role's permissions or description › Request Body
descriptionnamepermissionsUpdate a role's permissions or description › Responses
OK
assigned_countdescriptionidis_default_for_new_joinersis_systemnamepermissions