diff --git a/src/frontend/src/content/docs/integrations/security/keycloak.mdx b/src/frontend/src/content/docs/integrations/security/keycloak.mdx
index 3d8d603e8..8aa13c768 100644
--- a/src/frontend/src/content/docs/integrations/security/keycloak.mdx
+++ b/src/frontend/src/content/docs/integrations/security/keycloak.mdx
@@ -190,7 +190,7 @@ await builder.build().run();
### Add Keycloak resource with parameters
@@ -273,7 +273,106 @@ await builder.build().run();
-The realm import files are mounted at `/opt/keycloak/data/import` in the Keycloak container. Realm import files are JSON files that represent the realm configuration.
+The realm import files are copied to `/opt/keycloak/data/import` in the
+Keycloak container. Realm import files are JSON files that represent the realm
+configuration.
+
+
+
+#### Production alternatives for realm seeding
+
+For production environments, consider these alternatives to seed your Keycloak
+instance:
+
+**Custom Keycloak image**: Bake realm files into a custom image. Apply
+`WithDockerfile` to the Keycloak resource instead of replacing `AddKeycloak`
+with `AddContainer`:
+
+```dockerfile title="keycloak/Dockerfile"
+FROM quay.io/keycloak/keycloak:25.0.0
+COPY ./realms/*.json /opt/keycloak/data/import/
+```
+
+
+
+```csharp title="AppHost.cs"
+var builder = DistributedApplication.CreateBuilder(args);
+
+var keycloak = builder.AddKeycloak("keycloak", 8080)
+ .WithDockerfile("./keycloak");
+
+var apiService = builder.AddProject("apiservice")
+ .WithReference(keycloak)
+ .WaitFor(keycloak);
+
+builder.Build().Run();
+```
+
+
+```typescript title="apphost.mts"
+import { createBuilder } from './.aspire/modules/aspire.mjs';
+
+const builder = await createBuilder();
+
+const keycloak = await builder.addKeycloak("keycloak", 8080);
+await keycloak.withDockerfile("./keycloak");
+
+const apiService = await builder.addProject("apiservice", "../ApiService/ApiService.csproj");
+await apiService.withReference(keycloak);
+await apiService.waitFor(keycloak);
+
+await builder.build().run();
+```
+
+
+
+
+
+
+```text title="Directory layout"
+AppHost.cs
+keycloak/
+ Dockerfile
+ realms/
+ demo-realm.json
+```
+
+
+
+
+```text title="Directory layout"
+apphost.mts
+keycloak/
+ Dockerfile
+ realms/
+ demo-realm.json
+```
+
+
+
+
+
+
+**Initialization service**: Create a separate initialization service or job
+that uses the [Keycloak Admin REST API](https://www.keycloak.org/docs-api/latest/rest-api/index.html)
+or [Keycloak Admin Client](https://www.nuget.org/packages/Keycloak.AuthServices.Sdk.Admin)
+to create and configure realms, clients, and users when the Keycloak instance
+first starts.
+
+**Infrastructure as Code**: Use tools like Terraform with the
+[Keycloak provider](https://registry.terraform.io/providers/mrparkers/keycloak/latest/docs)
+to manage realm configuration separately from your application deployment.
### Export telemetry to OTLP collector
@@ -316,7 +415,8 @@ This enables Keycloak to send traces, metrics, and logs to the Aspire dashboard,
### Hosting integration health checks
-The Keycloak hosting integration doesn't currently support health checks, nor does it automatically add them.
+The Keycloak hosting integration automatically adds an HTTP health check
+against the management endpoint's `/health/ready` path.
## Client integration