Skip to main content
GET
/
api
/
identity
/
whoami
Resolve the caller's identity and roles
curl --request GET \
  --url https://api.example.com/api/identity/whoami \
  --header 'Authorization: Bearer <token>'
{
  "sub": "<string>",
  "preferred_username": "<string>",
  "email": "<string>",
  "full_name": "<string>",
  "roles": [
    "<string>"
  ],
  "client_roles": [
    "<string>"
  ]
}

Authorizations

Authorization
string
header
required

The access token received from the authorization server in the OAuth 2.0 flow.

Response

200 - application/json

Successful Response

Identity resolved by the API for the current request.

Mirrors the MCP whoami tool: echoes back the caller's identity and the auth method that matched, so clients can verify their Bearer / PSK wiring and discover their effective roles.

sub
string
required

Keycloak subject identifier of the caller.

auth_method
enum<string>
required

Which credential resolved the identity (Bearer, user PSK, general PSK).

Available options:
keycloak_token,
user_psk,
general_psk
preferred_username
string | null

Username for user context. Equals 'psk' for the general PSK.

email
string | null

Caller's email, if known.

full_name
string | null

Caller's full name, if known.

roles
string[]

Realm roles assigned to the caller.

client_roles
string[]

Client roles assigned to the caller.