diff --git a/lib/keycloak.ts b/lib/keycloak.ts
index 5566097e..3232e913 100644
--- a/lib/keycloak.ts
+++ b/lib/keycloak.ts
@@ -35,43 +35,67 @@ export async function getKeycloakAdminClient(): Promise<KcAdminClient> {
     throw new Error('Missing Keycloak URL configuration');
   }
 
-  if (!adminClientId || !adminUsername || !adminPassword || !realmName) {
+  if (!adminClientId || !realmName) {
     const missing = [];
     if (!adminClientId) missing.push('KEYCLOAK_CLIENT_ID');
-    if (!adminUsername) missing.push('KEYCLOAK_ADMIN_USERNAME');
-    if (!adminPassword) missing.push('KEYCLOAK_ADMIN_PASSWORD');
     if (!realmName) missing.push('KEYCLOAK_REALM');
     
-    console.error(`Missing Keycloak admin credentials in .env: ${missing.join(', ')}`);
-    throw new Error('Missing Keycloak admin credentials');
+    console.error(`Missing Keycloak client credentials in .env: ${missing.join(', ')}`);
+    throw new Error('Missing Keycloak client credentials');
   }
 
-  console.log(`Connecting to Keycloak at ${keycloakUrl}, realm: ${realmName}`);
+  // We'll try various authentication methods depending on what credentials we have
+  if (!clientSecret && (!adminUsername || !adminPassword)) {
+    console.error('Missing credentials for Keycloak authentication. Need either a client secret or username/password.');
+    throw new Error('Missing Keycloak authentication credentials');
+  }
+
+  console.log(`Connecting to Keycloak at ${keycloakUrl}, realm: ${realmName}, client: ${adminClientId}`);
   
   try {
     const kcAdminClient = new KcAdminClient({
       baseUrl: keycloakUrl,
-      realmName: 'master', // Use master realm to manage other realms
+      realmName: 'master', // Use master realm for admin operations
+    });
+
+    // Log auth configuration (don't log the actual secret or password)
+    console.log('Auth configuration:', {
+      clientId: adminClientId,
+      hasClientSecret: !!clientSecret,
+      hasUsername: !!adminUsername,
+      hasPassword: !!adminPassword,
+      authUrl: `${keycloakUrl}/realms/master/protocol/openid-connect/token`
     });
 
     // Authenticate admin client
-    const authParams: Credentials = {
-      clientId: adminClientId,
-      username: adminUsername,
-      password: adminPassword,
-      grantType: 'password',
-    };
+    let authParams: Credentials;
     
-    // Add client secret if available
+    // If we have a client secret, try to use client credentials grant
     if (clientSecret) {
-      authParams.clientSecret = clientSecret;
+      console.log('Using client credentials grant with client secret');
+      authParams = {
+        clientId: adminClientId,
+        clientSecret: clientSecret,
+        grantType: 'client_credentials'
+      };
+    } else {
+      // Fall back to password grant
+      console.log('Using password grant without client secret');
+      authParams = {
+        clientId: adminClientId,
+        username: adminUsername,
+        password: adminPassword,
+        grantType: 'password'
+      };
     }
     
     await kcAdminClient.auth(authParams);
 
     console.log('Successfully authenticated with Keycloak admin client');
 
-    // Set the target realm to work with
+    // Now that we're authenticated, we can specify the realm we want to work with
+    // This could be different from the authentication realm (master)
+    console.log(`Setting target realm to: ${realmName}`);
     kcAdminClient.setConfig({
       realmName: realmName,
     });