I have the following Setup: A Single Page Application, which gets OAUTH2.0 Tokens from a Keycloak-Server. The application then makes API-Calls to a different server of mine, authorized with a valid access_token.

Everything works, expect that I don't know how to validate the tokens with the Keycloak-Server. Normally I would just use the token introspection endpoint with client_id together with the client_secret, but I can't do this, since the client issuing the access_token is public, not confidential, since I am using a SPA.

I am in total control of the server running the API, so I would be happy with using any kind of Authentication, but I didn't find a way to configure anything at the Keycloak server. The API-Server runs a Node-Instance and I would like to stick to the Spec, so using the token introspection Endpoint would be preferred, but I am open to other solutions as well.

You can use a client_id and client_secret from a different client(you can create a new one) when you are calling the keycloak introspect endpoint with the access token from your public client. You should place the call at the introspect service in your API or filter above it so you don't store the client_id and client_secret in the frontend static content.