Remove a client role from a user
keycloak_user_client_role_unassignRevoke a client-level role from a user, removing access granted by that role. Requires explicit confirmation to proceed.
Instructions
Destructive write: revokes a single client-level role (belonging to one specific client) from a user, removing the access that role grants; this is not a realm role. This action requires explicit confirmation and will not proceed unless 'confirm' is true. Use keycloak_user_client_roles_get first to see the user's current client roles; for realm-wide roles use keycloak_user_role_unassign instead. Returns a confirmation that the client role was removed, or a message explaining why it was not (for example, confirmation was declined or the user, client, or role was not found).
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| role | Yes | The name of the client role to revoke (e.g. 'manage-users'), as shown by keycloak_user_client_roles_get. This is the role name, not its ID. | |
| userId | Yes | The Keycloak user ID (the user's UUID, e.g. 'f47ac10b-58cc-4372-a567-0e02b2c3d479'), not the username. Identifies the user the client role is removed from. | |
| confirm | No | Explicit confirmation gate for this destructive removal. Must be set to true to actually revoke the client role; if omitted or false, the operation is declined and no change is made. | |
| clientId | Yes | The Keycloak client's internal ID (the client's UUID), not the human-readable clientId/client name. Identifies the client that owns the role being revoked. |