diff --git a/build.gradle.kts b/build.gradle.kts
index 734cedd07..a0169178f 100644
--- a/build.gradle.kts
+++ b/build.gradle.kts
@@ -69,7 +69,7 @@ repositories {
 }
 
 tasks {
-    val keycloakVersion = "25.0.0"
+    val keycloakVersion = "25.0.5"
 
     named("build") {
         dependsOn("buildDocker", ":docsbuild:buildDocs")
@@ -154,7 +154,7 @@ tasks {
     register("execWindowsKeycloak") {
         doLast {
             ProcessBuilder(
-                "cmd", "/c", "kc.bat", "start-dev", "--http-port=18080", "--hostname-strict=false","--http-relative-path=/auth","--log-level=info", ">",
+                "cmd", "/c", "kc.bat", "start-dev", "--http-port=18080", "--http-management-port=18081", "--hostname-strict=false","--http-relative-path=/auth","--log-level=info", ">",
                 "output.txt"
             ).run {
                 directory(File("keycloak/keycloak-$keycloakVersion/bin"))
diff --git a/docsbuild/content/migrations/client.md b/docsbuild/content/migrations/client.md
index 5bdc04215..c0d1546d0 100644
--- a/docsbuild/content/migrations/client.md
+++ b/docsbuild/content/migrations/client.md
@@ -73,6 +73,7 @@ Update a client
 - surrogateAuthRequired: Boolean, optional, default=no change
 - enabled: Boolean, optional, default=no change
 - alwaysDisplayInConsole: Boolean, optional, default=no change
+- clientAuthenticatorType: String, optional, default=no change
 - attributes: Map<String, String>, optional, default=no change
 - protocol: String, optional, default=no change
 - redirectUris: List< String>, optional, default=no change
diff --git a/src/main/kotlin/de/klg71/keycloakmigration/changeControl/actions/client/UpdateClientAction.kt b/src/main/kotlin/de/klg71/keycloakmigration/changeControl/actions/client/UpdateClientAction.kt
index 1672bc2e0..2a3ef0add 100644
--- a/src/main/kotlin/de/klg71/keycloakmigration/changeControl/actions/client/UpdateClientAction.kt
+++ b/src/main/kotlin/de/klg71/keycloakmigration/changeControl/actions/client/UpdateClientAction.kt
@@ -15,6 +15,7 @@ class UpdateClientAction(
     private val surrogateAuthRequired: Boolean? = null,
     private val enabled: Boolean? = null,
     private val alwaysDisplayInConsole: Boolean? = null,
+    private val clientAuthenticatorType: String? = null,
     private val attributes: Map<String, String>? = null,
     private val protocol: String? = null,
     private val redirectUris: List<String>? = null,
@@ -34,6 +35,13 @@ class UpdateClientAction(
     private val fullScopeAllowed: Boolean? = null,
     private val nodeReRegistrationTimeout: Int ?= null) : Action(realm) {
 
+    companion object {
+      @JvmStatic
+      val supportedClientAuthenticatorTypes = listOf(
+          "client-jwt", "client-secret", "client-secret-jwt", "client-x509"
+      )
+    }
+
     private lateinit var oldClient: Client
 
     @Suppress("ComplexMethod")
@@ -45,7 +53,7 @@ class UpdateClientAction(
         surrogateAuthRequired ?: oldClient.surrogateAuthRequired,
         enabled ?: oldClient.enabled,
         alwaysDisplayInConsole ?: oldClient.alwaysDisplayInConsole,
-        oldClient.clientAuthenticatorType,
+        clientAuthenticatorType ?: oldClient.clientAuthenticatorType,
         redirectUris ?: oldClient.redirectUris,
         webOrigins ?: oldClient.webOrigins,
         notBefore ?: oldClient.notBefore,
@@ -73,6 +81,13 @@ class UpdateClientAction(
     )
 
     override fun execute() {
+        if (clientAuthenticatorType != null && clientAuthenticatorType !in supportedClientAuthenticatorTypes) {
+            throw MigrationException(
+                "Client authenticator type '$clientAuthenticatorType' is not supported. " +
+                "Use one of: ${supportedClientAuthenticatorTypes.joinToString(", ")}"
+            )
+        }
+
         if (!client.existsClient(clientId, realm())) {
             throw MigrationException("Client with id: $clientId does not exist in realm: $realm!")
         }
diff --git a/src/test/resources/changesets/43_update_client_clientauthenticatortype.yml b/src/test/resources/changesets/43_update_client_clientauthenticatortype.yml
new file mode 100644
index 000000000..f3b17ae2e
--- /dev/null
+++ b/src/test/resources/changesets/43_update_client_clientauthenticatortype.yml
@@ -0,0 +1,10 @@
+id: update_client_clientauthenticatortype
+author: klg71
+realm: integ-test
+changes:
+  - addSimpleClient:
+      clientId: testClientJwtAuth
+  - updateClient:
+      clientId: testClientJwtAuth
+      publicClient: false
+      clientAuthenticatorType: client-jwt
diff --git a/src/test/resources/keycloak-changelog.yml b/src/test/resources/keycloak-changelog.yml
index ca2802eba..5bc34f379 100644
--- a/src/test/resources/keycloak-changelog.yml
+++ b/src/test/resources/keycloak-changelog.yml
@@ -38,3 +38,4 @@ includes:
 - path: changesets/40_add_identity_provider_mappers.yml
 - path: changesets/41_delete_identity_provider_mappers.yml
 - path: changesets/42_register_required_action.yml
+- path: changesets/43_update_client_clientauthenticatortype.yml