diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
index f017d7d9..a46e239b 100644
--- a/.github/workflows/cd.yml
+++ b/.github/workflows/cd.yml
@@ -128,7 +128,7 @@ jobs:
       gke-project: ${{ secrets.GKE_PROJECT }}
       cloudflare-api-token: ${{ secrets.CF_API_TOKEN }}
       cloudflare-zone-id: ${{ secrets.CF_ZONE_ID }}
-      keycloak-admin-password: ${{ secrets.KEYCLOAK_ADMIN_PASSWORD }}
+      keycloak-admin-password: ${{ secrets.KC_BOOTSTRAP_ADMIN_PASSWORD }}
 
   check:
     name: Check
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index ce25c25b..bbe6a51f 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -126,7 +126,7 @@ jobs:
       CADDY_MERCURE_JWT_SECRET: 33b04d361e437e0d7d715600fc24fdefba317154
       POSTGRES_PASSWORD: aae5bf316ef5fe87ad806c6a9240fff68bcfdaf7
       KEYCLOAK_POSTGRES_PASSWORD: 26d7f630f1524eb210bbf496443f2038a9316e9e
-      KEYCLOAK_ADMIN_PASSWORD: 2f31e2fad93941b818449fd8d57fd019b6ce7fa5
+      KC_BOOTSTRAP_ADMIN_PASSWORD: 2f31e2fad93941b818449fd8d57fd019b6ce7fa5
       # https://nextjs.org/docs/app/building-your-application/configuring/environment-variables#bundling-environment-variables-for-the-browser
       NEXT_PUBLIC_OIDC_SERVER_URL: https://localhost/oidc/realms/demo
       # https://docs.docker.com/compose/environment-variables/envvars/#compose_file
diff --git a/api/src/Security/Http/Protection/ResourceResourceHandler.php b/api/src/Security/Http/Protection/ResourceResourceHandler.php
index aa1a69a4..9e79f05b 100644
--- a/api/src/Security/Http/Protection/ResourceResourceHandler.php
+++ b/api/src/Security/Http/Protection/ResourceResourceHandler.php
@@ -38,7 +38,7 @@ public function create(object $resource, UserInterface $owner, array $context =
         );
 
         // create resource_set on OIDC server
-        $this->securityAuthorizationClient->request('POST', $this->getResourceRegistrationEndpoint(), [
+        $this->securityAuthorizationClient->request('POST', 'authz/protection/resource_set', [
             'auth_bearer' => $this->getPAT(),
             'json' => [
                 'name' => \sprintf('%s_%s', $shortName, $resource->getId()->__toString()),
@@ -66,7 +66,7 @@ public function delete(object $resource, UserInterface $owner, array $context =
         // retrieve corresponding resource_set from OIDC server
         $response = $this->securityAuthorizationClient->request(
             'GET',
-            $this->getResourceRegistrationEndpoint(),
+            'authz/protection/resource_set',
             [
                 'auth_bearer' => $this->getPAT(),
                 'query' => [
@@ -85,7 +85,7 @@ public function delete(object $resource, UserInterface $owner, array $context =
         // delete corresponding resource_set on OIDC server
         $this->securityAuthorizationClient->request(
             'DELETE',
-            \sprintf('%s/%s', $this->getResourceRegistrationEndpoint(), $resourceSet['_id']),
+            \sprintf('%s/%s', 'authz/protection/resource_set', $resourceSet['_id']),
             [
                 'auth_bearer' => $this->getPAT(),
             ]
@@ -97,7 +97,7 @@ public function delete(object $resource, UserInterface $owner, array $context =
      */
     private function getPAT(): string
     {
-        $response = $this->securityAuthorizationClient->request('POST', $this->getTokenEndpoint(), [
+        $response = $this->securityAuthorizationClient->request('POST', 'protocol/openid-connect/token', [
             'body' => [
                 'grant_type' => 'client_credentials',
                 'client_id' => $this->oidcClientId,
@@ -108,20 +108,4 @@ private function getPAT(): string
 
         return $content['access_token'];
     }
-
-    private function getTokenEndpoint(): string
-    {
-        $response = $this->securityAuthorizationClient->request('GET', '.well-known/openid-configuration');
-        $content = $response->toArray();
-
-        return $content['token_endpoint'];
-    }
-
-    private function getResourceRegistrationEndpoint(): string
-    {
-        $response = $this->securityAuthorizationClient->request('GET', '.well-known/uma2-configuration');
-        $content = $response->toArray();
-
-        return $content['resource_registration_endpoint'];
-    }
 }
diff --git a/compose.e2e.yaml b/compose.e2e.yaml
index 80fb7966..51de4271 100644
--- a/compose.e2e.yaml
+++ b/compose.e2e.yaml
@@ -5,11 +5,8 @@ services:
       KEYCLOAK_HTTPS_USE_PEM: "true"
       KEYCLOAK_HTTPS_CERTIFICATE_FILE: /opt/bitnami/keycloak/certs/tls.crt
       KEYCLOAK_HTTPS_CERTIFICATE_KEY_FILE: /opt/bitnami/keycloak/certs/tls.key
+      KEYCLOAK_EXTRA_ARGS: "--import-realm"
     volumes:
       - ./helm/api-platform/keycloak/certs/tls.crt:/opt/bitnami/keycloak/certs/tls.crt:ro
       - ./helm/api-platform/keycloak/certs/tls.pem:/opt/bitnami/keycloak/certs/tls.key:ro
-
-  keycloak-config-cli:
-    extends:
-      file: compose.override.yaml
-      service: keycloak-config-cli
+      - ./helm/api-platform/keycloak/config:/opt/bitnami/keycloak/data/import
diff --git a/compose.override.yaml b/compose.override.yaml
index 29eea747..1022d77e 100644
--- a/compose.override.yaml
+++ b/compose.override.yaml
@@ -56,20 +56,8 @@ services:
     build:
       context: ./helm/api-platform/keycloak/
       target: keycloak
-    volumes:
-      - ./helm/api-platform/keycloak/themes/api-platform-demo:/opt/bitnami/keycloak/themes/api-platform-demo
-
-  keycloak-config-cli:
-    image: bitnami/keycloak-config-cli:5-debian-12
-    depends_on:
-      keycloak:
-        condition: service_healthy
     environment:
-      KEYCLOAK_URL: http://keycloak:8080/oidc/
-      KEYCLOAK_USER: ${KEYCLOAK_ADMIN_USER:-admin}
-      KEYCLOAK_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD:-!ChangeMe!}
-      KEYCLOAK_AVAILABILITYCHECK_ENABLED: "true"
-      KEYCLOAK_AVAILABILITYCHECK_TIMEOUT: 120s
-      IMPORT_FILES_LOCATIONS: "/config/*"
+      KEYCLOAK_EXTRA_ARGS: "--import-realm"
     volumes:
-      - ./helm/api-platform/keycloak/config:/config
+      - ./helm/api-platform/keycloak/themes/api-platform-demo:/opt/bitnami/keycloak/themes/api-platform-demo
+      - ./helm/api-platform/keycloak/config:/opt/bitnami/keycloak/data/import
diff --git a/compose.prod.yaml b/compose.prod.yaml
index 4a45f9d4..0bf1f06f 100644
--- a/compose.prod.yaml
+++ b/compose.prod.yaml
@@ -44,4 +44,4 @@ services:
       target: keycloak
     environment:
       KEYCLOAK_PRODUCTION: "true"
-      KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD}
+      KC_BOOTSTRAP_ADMIN_PASSWORD: ${KC_BOOTSTRAP_ADMIN_PASSWORD}
diff --git a/compose.yaml b/compose.yaml
index d8251305..5c1e0ec5 100644
--- a/compose.yaml
+++ b/compose.yaml
@@ -98,17 +98,14 @@ services:
       KEYCLOAK_DATABASE_NAME: ${KEYCLOAK_POSTGRES_DB:-keycloak}
       KEYCLOAK_DATABASE_USER: ${KEYCLOAK_POSTGRES_USER:-keycloak}
       KEYCLOAK_DATABASE_PASSWORD: ${KEYCLOAK_POSTGRES_PASSWORD:-!ChangeMe!}
-      KEYCLOAK_ADMIN_USER: ${KEYCLOAK_ADMIN_USER:-admin}
-      KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD:-!ChangeMe!}
+      KC_BOOTSTRAP_ADMIN_USERNAME: ${KC_BOOTSTRAP_ADMIN_USERNAME:-admin}
+      KC_BOOTSTRAP_ADMIN_PASSWORD: ${KC_BOOTSTRAP_ADMIN_PASSWORD:-!ChangeMe!}
       # Must finish with a trailing slash (https://github.com/bitnami/charts/issues/10885#issuecomment-1414279144)
       KEYCLOAK_HTTP_RELATIVE_PATH: /oidc/
-      # https://www.keycloak.org/server/hostname
-      KC_HOSTNAME_URL: https://${SERVER_NAME:-localhost}/oidc/
-      KC_HOSTNAME_ADMIN_URL: https://${SERVER_NAME:-localhost}/oidc/
-      # https://www.keycloak.org/server/features
-      KC_FEATURES: "scripts"
-      # https://github.com/bitnami/containers/pull/40893
+      KEYCLOAK_HOSTNAME: https://${SERVER_NAME:-localhost}/oidc/
+      KEYCLOAK_HOSTNAME_ADMIN: https://${SERVER_NAME:-localhost}/oidc/
       KEYCLOAK_ENABLE_HEALTH_ENDPOINTS: "true"
+      KEYCLOAK_PROXY_HEADERS: xforwarded
     # https://www.keycloak.org/server/all-config#category-health
     healthcheck:
       test: [ "CMD-SHELL", "curl http://127.0.0.1:8080/oidc/health || exit 1"]
diff --git a/helm/api-platform/keycloak/Dockerfile b/helm/api-platform/keycloak/Dockerfile
index d5e2b08d..bcdb365b 100644
--- a/helm/api-platform/keycloak/Dockerfile
+++ b/helm/api-platform/keycloak/Dockerfile
@@ -4,7 +4,7 @@
 
 
 # Versions
-FROM bitnami/keycloak:24-debian-12 AS keycloak_upstream
+FROM bitnami/keycloak:26-debian-12 AS keycloak_upstream
 
 
 # The different stages of this Dockerfile are meant to be built into separate images
diff --git a/helm/api-platform/values.yaml b/helm/api-platform/values.yaml
index 229d8d8b..5e1cf2b7 100644
--- a/helm/api-platform/values.yaml
+++ b/helm/api-platform/values.yaml
@@ -108,11 +108,11 @@ keycloak:
   service:
     type: ClusterIP
   extraEnvVars:
-    # Must set KC_HOSTNAME_URL to force https + relative path
-    - name: KC_HOSTNAME_URL
+    # Must set KEYCLOAK_HOSTNAME to force https + relative path
+    - name: KEYCLOAK_HOSTNAME
       value: "https://chart-example.local/oidc/"
-    # Must set KC_HOSTNAME_ADMIN because of relative path
-    - name: KC_HOSTNAME_ADMIN_URL
+    # Must set KEYCLOAK_HOSTNAME_ADMIN because of relative path
+    - name: KEYCLOAK_HOSTNAME_ADMIN
       value: "https://chart-example.local/oidc/"
     - name: KEYCLOAK_PRODUCTION
       value: "true"
@@ -137,7 +137,7 @@ keycloak:
       - -jar
       - /opt/bitnami/keycloak-config-cli/keycloak-config-cli.jar
     image:
-      tag: 5-debian-12
+      tag: 6-debian-12
   postgresql:
     enabled: true
     nameOverride: postgresql-keycloak