You deploy Keycloak, everything works—or so you think. But there's a problem that almost everyone misses. Keycloak makes it deliberately easy for developers: by default, it puts a lot of information into your access tokens - roles, claims, metadata. At first, this feels good because everything “just works.”

But this convenience comes with a price:
🚨 Your tokens contain more data than necessary.
🚨 Recipients receive information they don't need or shouldn't know.
🚨 Data protection principles are not optimally implemented.
🚨 HTTP requests can fail due to tokens that are too large.

In this talk, you will learn:
✅ Why Keycloak reveals “too much of a good thing” by default.
✅ Which token contents are really necessary (and which are not)
✅ How to implement data minimization through targeted configuration
✅ Practical settings and strategies for lean and secure tokens

The result:
Data protection-compliant tokens that contain exactly what the recipient needs—no more, no less. Security by design instead of by chance.