I’m trying to understand. I have a SPA, Keycloak server, and an API server. If the SPA can authenticate with Keycloak directly, does it mean then the token obtained from Keycloak will have to be verified by the API server first before hand? Otherwise how do we protect the API server?

So in this case how many clients are there? One client ID for SPA, another client ID for API server?

Sorry, still trying to comprehend the flow.

Update. This provides some clues: https://github.com/ohmage/server/wiki/Keycloak-Integration