diff --git a/roles/keycloak/files/providers/keycloak-mailpass-rest/src/main/java/org/archlinux/keycloak/mailpass/rest/MailPassResourceProvider.java b/roles/keycloak/files/providers/keycloak-mailpass-rest/src/main/java/org/archlinux/keycloak/mailpass/rest/MailPassResourceProvider.java
index 6e8d787dea047ca5f13395ad3611da35f2287d88..0bc172b63025997514ef6d9199d455b98b9d9c9d 100644
--- a/roles/keycloak/files/providers/keycloak-mailpass-rest/src/main/java/org/archlinux/keycloak/mailpass/rest/MailPassResourceProvider.java
+++ b/roles/keycloak/files/providers/keycloak-mailpass-rest/src/main/java/org/archlinux/keycloak/mailpass/rest/MailPassResourceProvider.java
@@ -11,14 +11,18 @@ import org.keycloak.services.resource.RealmResourceProvider;
 public class MailPassResourceProvider implements RealmResourceProvider {
 
   private KeycloakSession session;
+  private String realmName;
+  private String realmRole;
 
-  public MailPassResourceProvider(KeycloakSession session) {
+  public MailPassResourceProvider(KeycloakSession session, String realmName, String realmRole) {
     this.session = session;
+    this.realmName = realmName;
+    this.realmRole = realmRole;
   }
 
   @Override
   public Object getResource() {
-    return new MailPassRestResource(session);
+    return new MailPassRestResource(session, realmName, realmRole);
   }
 
   @Override
diff --git a/roles/keycloak/files/providers/keycloak-mailpass-rest/src/main/java/org/archlinux/keycloak/mailpass/rest/MailPassResourceProviderFactory.java b/roles/keycloak/files/providers/keycloak-mailpass-rest/src/main/java/org/archlinux/keycloak/mailpass/rest/MailPassResourceProviderFactory.java
index 4358bf89b5604dd5cf701f13313184154deac3dd..33f2175167537c09c6d04ee82abeabc8bda18b16 100644
--- a/roles/keycloak/files/providers/keycloak-mailpass-rest/src/main/java/org/archlinux/keycloak/mailpass/rest/MailPassResourceProviderFactory.java
+++ b/roles/keycloak/files/providers/keycloak-mailpass-rest/src/main/java/org/archlinux/keycloak/mailpass/rest/MailPassResourceProviderFactory.java
@@ -13,6 +13,12 @@ import org.keycloak.services.resource.RealmResourceProviderFactory;
  */
 public class MailPassResourceProviderFactory implements RealmResourceProviderFactory {
 
+  private static final String DEFAULT_REALM_NAME = "master";
+  private static final String DEFAULT_REALM_ROLE = "admin";
+
+  private String realmName;
+  private String realmRole;
+
   public static final String ID = "mailpass";
 
   @Override
@@ -22,11 +28,13 @@ public class MailPassResourceProviderFactory implements RealmResourceProviderFac
 
   @Override
   public RealmResourceProvider create(KeycloakSession session) {
-    return new MailPassResourceProvider(session);
+    return new MailPassResourceProvider(session, realmName, realmRole);
   }
 
   @Override
   public void init(Scope config) {
+    this.realmName = config.get("realmName", DEFAULT_REALM_NAME);
+    this.realmRole = config.get("realmRole", DEFAULT_REALM_ROLE);
   }
 
   @Override
diff --git a/roles/keycloak/files/providers/keycloak-mailpass-rest/src/main/java/org/archlinux/keycloak/mailpass/rest/MailPassRestResource.java b/roles/keycloak/files/providers/keycloak-mailpass-rest/src/main/java/org/archlinux/keycloak/mailpass/rest/MailPassRestResource.java
index 927304b3560ff91df3a0d07e03ade5a3fbf7d153..dc57e36ee1e328df512de7755c8fa2359daf3a31 100644
--- a/roles/keycloak/files/providers/keycloak-mailpass-rest/src/main/java/org/archlinux/keycloak/mailpass/rest/MailPassRestResource.java
+++ b/roles/keycloak/files/providers/keycloak-mailpass-rest/src/main/java/org/archlinux/keycloak/mailpass/rest/MailPassRestResource.java
@@ -17,23 +17,35 @@ import org.keycloak.services.managers.AuthenticationManager;
 public class MailPassRestResource {
 
   private final KeycloakSession session;
+  private final String realmName;
+  private final String realmRole;
   private final AuthenticationManager.AuthResult auth;
 
-  public MailPassRestResource(KeycloakSession session) {
+  public MailPassRestResource(KeycloakSession session, String realmName, String realmRole) {
     this.session = session;
     this.auth = new AppAuthManager.BearerTokenAuthenticator(session).authenticate();
+    this.realmName = realmName;
+    this.realmRole = realmRole;
   }
 
   @Path("roleauth")
   public MailPassResource getMailPassResourceAuthenticated() {
+    checkRealm();
     checkRealmAdmin();
     return new MailPassResource(session);
   }
 
+  private void checkRealm() {
+    String requestedRealm = session.getContext().getRealm().getName();
+    if (!requestedRealm.equals(realmName)) {
+      throw new ForbiddenException("Operation not allowed on this realm: " + requestedRealm);
+    }
+  }
+
   private void checkRealmAdmin() {
     if (auth == null) {
       throw new NotAuthorizedException("Bearer");
-    } else if (auth.getToken().getRealmAccess() == null || !auth.getToken().getRealmAccess().isUserInRole("admin")) {
+    } else if (auth.getToken().getRealmAccess() == null || !auth.getToken().getRealmAccess().isUserInRole(realmRole)) {
       throw new ForbiddenException("Does not have realm admin role");
     }
   }