Looks like the /api/* resources are not protected by keycloak

 router.route("/api/*").handler(this::dispatchRequests);

Yes we don't protect all of the /api/* resources(e.g. retrieve actions). We only protect some actions requiring authentication. Here we protect resource by using a wrapped callback requireLogin in RestAPIVerticle. You may also refer to authentication management section in the blueprint documentation.