Auth API
The Auth API provides a single endpoint for refreshing Keycloak OIDC access tokens. It is only active when AUTH_PROVIDER=keycloak.
POST /auth/refresh
Section titled “POST /auth/refresh”Exchange a Keycloak refresh token for a new access token and refresh token pair.
Use this endpoint when an access token has expired and you need to obtain a new one without requiring the user to re-authenticate.
Request body
Section titled “Request body”{ "refresh_token": "eyJhbGciOiJSUzI1NiIsInR5..."}| Field | Type | Required | Description |
|---|---|---|---|
refresh_token | string | Yes | A valid Keycloak refresh token |
Response — 200 OK
Section titled “Response — 200 OK”{ "access_token": "eyJhbGciOiJSUzI1NiIsInR5...", "refresh_token": "eyJhbGciOiJSUzI1NiIsInR5...", "token_type": "bearer"}| Field | Description |
|---|---|
access_token | New access token. Use as Authorization: Bearer <access_token> on all subsequent requests. |
refresh_token | New refresh token. Replace the old one — Keycloak may rotate it. |
token_type | Always "bearer" |
Error responses
Section titled “Error responses”| Status | Condition |
|---|---|
401 | Refresh token is expired or invalid |
500 | Keycloak server unreachable |
Example
Section titled “Example”# Refresh an expired tokenRESPONSE=$(curl -s -X POST http://localhost:8080/auth/refresh \ -H "Content-Type: application/json" \ -d '{"refresh_token": "eyJhbGciOiJSUzI1NiIsInR5..."}')
ACCESS_TOKEN=$(echo $RESPONSE | jq -r '.access_token')REFRESH_TOKEN=$(echo $RESPONSE | jq -r '.refresh_token')
# Use the new access tokencurl -X POST "http://localhost:8080/event/infer/my-agent" \ -H "Authorization: Bearer $ACCESS_TOKEN" \ -H "Content-Type: application/json" \ -d '{"query": "Hello", "user_id": "user-1", "session_id": "session-abc"}'When to use this endpoint
Section titled “When to use this endpoint”This endpoint is only relevant when AUTH_PROVIDER=keycloak. For api_token and jwt auth providers, tokens do not expire in the same way and this endpoint is not needed.
Typical usage pattern:
- Obtain an initial access token and refresh token from Keycloak directly (via the Keycloak login flow or client credentials grant).
- Use the access token on all Alquimia API requests.
- When a request returns
401, callPOST /auth/refreshwith the refresh token. - Replace both tokens with the values from the response.
- Retry the original request with the new access token.
Keycloak configuration
Section titled “Keycloak configuration”Set these environment variables to enable Keycloak auth:
AUTH_PROVIDER=keycloakKEYCLOAK_SERVER_URL=https://keycloak.example.comKEYCLOAK_REALM=my-realmKEYCLOAK_CLIENT_ID=alquimia-runtimeKEYCLOAK_CLIENT_SECRET=<client-secret>KEYCLOAK_ADMIN_CLIENT_SECRET=<admin-client-secret>KEYCLOAK_CALLBACK_URI=https://runtime.example.com/auth/callbackSee Configuration Reference for the full list of Keycloak settings.
Related pages
Section titled “Related pages”- Configuration Reference —
AUTH_PROVIDERand Keycloak settings - Inference Endpoints — authentication requirements for all inference endpoints