Every new product I've shipped starts the same way: "We just need login, right?" Two weeks later we're knee-deep in password resets, refresh tokens, org invites, and role checks sprinkled across five services. I got tired of rediscovering the same traps, so I wrote down the exact Keycloak setup I now copy into every multi-tenant app β gateway, frontends, account app, and all. The Problem Identity is three hard problems pretending to be one: Authentication β login, MFA, email/SMS verification, forgot-password, social providers Authorization β which role can do what, baked into tokens so services don't need to call a DB on every request Multi-tenancy β organizations, invites, role scoping per org, sysadmin vs org-owner vs end user Most teams either roll their own (and leak tokens) or drop in Keycloak and then spend a month figuring out realms, clients, JWKS caching, and how the gateway should verify tokens. The docs tell you what exists, not how to wire it into a real product .β¦