Export/Import of single custom Authentication Flows across environments

[Paolo Amato]

Hi Keycloak community,

I’m looking for guidance on moving only specific custom Authentication Flows between environments (dev → test → preprod → prod).

Context

• We run separate Keycloak instances per environment.

• A full realm export/import is not feasible because several realm-level settings differ across environments (e.g., client configs and secrets, identity providers, URLs, SMTP, etc.).

• When we change a flow in dev, we currently have to re-create the change by hand in the other environments, which is error-prone.

Question
Is there a supported way to export and import a single Authentication Flow (including its subflows, executions, execution order/requirements, and any associated authenticator configs) without replacing the entire realm? Pointers to recommended tools or approaches would be much appreciated—for example:

• a documented “partial” export/import that targets authentication flows,

• using the Admin REST API or kcadm.sh in a reliable, idempotent way,

• other best practices you use to promote flow changes safely across environments.

If there isn’t a native/official solution today, would it be appropriate to open a GitHub issue as a feature request for “authentication-flow level export/import”? If so, any suggestions on scope or prior discussions to reference?

Thanks in advance for your help and pointers!

Best regards,

Paolo Amato