Keycloak can send back-channel requests to applications to perform administrative functions such as to log out users. This would be particularly useful for apiman in that it would allow administrators to log out a single session or all sessions in the Keycloak UI and immediately cut off API access to those users. This functionality is described here: http://keycloak.github.io/docs/userguide/keycloak-server/html_single/index.html#admin-url-configuration .