Create an API key | Elasticsearch API documentation

Create an API key Generally available; Added in 6.7.0

POST /_security/api_key

All methods and paths for this operation:

PUT /_security/api_key

POST /_security/api_key

Create an API key for access without requiring basic authentication.

IMPORTANT: If the credential that is used to authenticate this request is an API key, the derived API key cannot have any privileges. If you specify privileges, the API returns an error.

A successful request returns a JSON structure that contains the API key, its unique id, and its name. If applicable, it also returns expiration information for the API key in milliseconds.

NOTE: By default, API keys never expire. You can specify expiration information when you create the API keys.

The API keys are created by the Elasticsearch API key service, which is automatically enabled. To configure or turn off the API key service, refer to API key service setting documentation.

highlight#highlightFromAnchor" href="#topic-required-authorization"> Required authorization

Cluster privileges: manage_own_api_key

External documentation

Query parameters

refresh string

If true (the default) then refresh the affected shards to make this operation visible to search, if wait_for then wait for a refresh to make this operation visible to search, if false then do nothing with refreshes.

Values are true, false, or wait_for.

application/json

Body Required

expiration string

A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
name string
role_descriptors object

An array of role descriptors for this API key. When it is not specified or it is an empty array, the API key will have a point in time snapshot of permissions of the authenticated user. If you supply role descriptors, the resultant permissions are an intersection of API keys permissions and the authenticated user's permissions thereby limiting the access scope for API keys. The structure of role descriptor is the same as the request for the create role API. For more details, refer to the create or update roles API.

NOTE: Due to the way in which this permission intersection is calculated, it is not possible to create an API key that is a child of another API key, unless the derived key is created without any privileges. In this case, you must explicitly specify a role descriptor with no privileges. The derived API key can be used for authentication; it will not have authority to call Elasticsearch APIs.

External documentation
details#setActive"> Hide role_descriptors attribute Show role_descriptors attribute object
- * object Additional properties
  details#setActive"> Hide * attributes Show * attributes object
  
  cluster array[string]
  
  A list of cluster privileges. These privileges define the cluster level actions that API keys are able to execute.
  
  indices array[object]
  
  A list of indices permissions entries.
  
  details#setActive"> Hide indices attributes Show indices attributes object
  
  field_security object
  
  details#setActive"> Hide field_security attributes Show field_security attributes object
  
  except string | array[string]
  
  grant string | array[string]
  
  names string | array[string] Required
  
  A list of indices (or index name patterns) to which the permissions in this entry apply.
  
  alternative#change alternative:form->explorer-send-request#updateRequest" data-tabs-scroll="true">
  One of:
  tabs#change click->alternative#change " data-tabs-target="tab" href="#operation-security-create-api-key-body-application-json-role_descriptors-indices-names" role="tab" aria-controls="operation-security-create-api-key-body-application-json-role_descriptors-indices-names" tabindex="0"> IndexName string tabs#change click->alternative#change " data-tabs-target="tab" href="#operation-security-create-api-key-body-application-json-role_descriptors-indices-array-2-names-array-string" role="tab" aria-controls="operation-security-create-api-key-body-application-json-role_descriptors-indices-array-2-names-array-string" tabindex="0"> array-2 array[string]
  
  privileges array[string] Required
  
  The index level privileges that owners of the role have on the specified indices.
  
  query string | object
  
  While creating or updating a role you can provide either a JSON structure or a string to the API. However, the response provided by Elasticsearch will only be string with a json-as-text content.
  
  Since this is embedded in IndicesPrivileges, the same structure is used for clarity in both contexts.
  
  alternative#change alternative:form->explorer-send-request#updateRequest" data-tabs-scroll="true">
  One of:
  tabs#change click->alternative#change " data-tabs-target="tab" href="#operation-security-create-api-key-body-application-json-role_descriptors-indices" role="tab" aria-controls="operation-security-create-api-key-body-application-json-role_descriptors-indices" tabindex="0"> string-1 string tabs#change click->alternative#change " data-tabs-target="tab" href="#operation-security-create-api-key-body-application-json-role_descriptors-indices-querycontainer-object" role="tab" aria-controls="operation-security-create-api-key-body-application-json-role_descriptors-indices-querycontainer-object" tabindex="0"> QueryContainer object tabs#change click->alternative#change " data-tabs-target="tab" href="#operation-security-create-api-key-body-application-json-role_descriptors-indices-roletemplatequery-object" role="tab" aria-controls="operation-security-create-api-key-body-application-json-role_descriptors-indices-roletemplatequery-object" tabindex="0"> RoleTemplateQuery object
  
  An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
  
  External documentation
  
  allow_restricted_indices boolean Generally available
  
  Set to true if using wildcard or regular expressions for patterns that cover restricted indices. Implicitly, restricted indices have limited privileges that can cause pattern tests to fail. If restricted indices are explicitly included in the names list, Elasticsearch checks privileges against these indices regardless of the value set for allow_restricted_indices.
  
  Default value is false.
  
  remote_indices array[object] Generally available; Added in 8.14.0
  
  A list of indices permissions for remote clusters.
  
  The subset of index level privileges that can be defined for remote clusters.
  
  details#setActive"> Hide remote_indices attributes Show remote_indices attributes object
  
  clusters string | array[string] Required
  
  field_security object
  
  details#setActive"> Hide field_security attributes Show field_security attributes object
  
  except string | array[string]
  
  grant string | array[string]
  
  names string | array[string] Required
  
  A list of indices (or index name patterns) to which the permissions in this entry apply.
  
  alternative#change alternative:form->explorer-send-request#updateRequest" data-tabs-scroll="true">
  One of:
  tabs#change click->alternative#change " data-tabs-target="tab" href="#operation-security-create-api-key-body-application-json-role_descriptors-remote_indices-names" role="tab" aria-controls="operation-security-create-api-key-body-application-json-role_descriptors-remote_indices-names" tabindex="0"> IndexName string tabs#change click->alternative#change " data-tabs-target="tab" href="#operation-security-create-api-key-body-application-json-role_descriptors-remote_indices-array-2-names-array-string" role="tab" aria-controls="operation-security-create-api-key-body-application-json-role_descriptors-remote_indices-array-2-names-array-string" tabindex="0"> array-2 array[string]
  
  privileges array[string] Required
  
  The index level privileges that owners of the role have on the specified indices.
  
  query string | object
  
  While creating or updating a role you can provide either a JSON structure or a string to the API. However, the response provided by Elasticsearch will only be string with a json-as-text content.
  
  Since this is embedded in IndicesPrivileges, the same structure is used for clarity in both contexts.
  
  alternative#change alternative:form->explorer-send-request#updateRequest" data-tabs-scroll="true">
  One of:
  tabs#change click->alternative#change " data-tabs-target="tab" href="#operation-security-create-api-key-body-application-json-role_descriptors-remote_indices" role="tab" aria-controls="operation-security-create-api-key-body-application-json-role_descriptors-remote_indices" tabindex="0"> string-1 string tabs#change click->alternative#change " data-tabs-target="tab" href="#operation-security-create-api-key-body-application-json-role_descriptors-remote_indices-querycontainer-object" role="tab" aria-controls="operation-security-create-api-key-body-application-json-role_descriptors-remote_indices-querycontainer-object" tabindex="0"> QueryContainer object tabs#change click->alternative#change " data-tabs-target="tab" href="#operation-security-create-api-key-body-application-json-role_descriptors-remote_indices-roletemplatequery-object" role="tab" aria-controls="operation-security-create-api-key-body-application-json-role_descriptors-remote_indices-roletemplatequery-object" tabindex="0"> RoleTemplateQuery object
  
  An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
  
  External documentation
  
  allow_restricted_indices boolean Generally available
  
  Set to true if using wildcard or regular expressions for patterns that cover restricted indices. Implicitly, restricted indices have limited privileges that can cause pattern tests to fail. If restricted indices are explicitly included in the names list, Elasticsearch checks privileges against these indices regardless of the value set for allow_restricted_indices.
  
  Default value is false.
  
  remote_cluster array[object] Generally available; Added in 8.15.0
  
  A list of cluster permissions for remote clusters. NOTE: This is limited a subset of the cluster permissions.
  
  The subset of cluster level privileges that can be defined for remote clusters.
  
  details#setActive"> Hide remote_cluster attributes Show remote_cluster attributes object
  
  clusters string | array[string] Required
  
  privileges array[string] Required
  
  The cluster level privileges that owners of the role have on the remote cluster.
  
  Values are monitor_enrich or monitor_stats.
  
  global array[object] | object
  
  An object defining global privileges. A global privilege is a form of cluster privilege that is request-aware. Support for global privileges is currently limited to the management of application privileges.
  
  alternative#change alternative:form->explorer-send-request#updateRequest" data-tabs-scroll="true">
  One of:
  tabs#change click->alternative#change " data-tabs-target="tab" href="#operation-security-create-api-key-body-application-json-role_descriptors-global" role="tab" aria-controls="operation-security-create-api-key-body-application-json-role_descriptors-global" tabindex="0"> array-1 array[object] tabs#change click->alternative#change " data-tabs-target="tab" href="#operation-security-create-api-key-body-application-json-role_descriptors-globalprivilege-global-object" role="tab" aria-controls="operation-security-create-api-key-body-application-json-role_descriptors-globalprivilege-global-object" tabindex="0"> GlobalPrivilege object
  
  details#setActive"> Hide attribute Show attribute object
  
  application object Required
  
  details#setActive"> Hide application attribute Show application attribute object
  
  manage object Required
  
  details#setActive"> Hide attribute Show attribute
  
  application object Required
  
  details#setActive"> Hide application attribute Show application attribute object
  
  manage object Required
  
  details#setActive"> Hide manage attribute Show manage attribute object
  
  applications array[string] Required
  
  applications array[object]
  
  A list of application privilege entries
  
  details#setActive"> Hide applications attributes Show applications attributes object
  
  application string Required
  
  The name of the application to which this entry applies.
  
  privileges array[string] Required
  
  A list of strings, where each element is the name of an application privilege or action.
  
  resources array[string] Required
  
  A list resources to which the privileges are applied.
  
  metadata object
  
  details#setActive"> Hide metadata attribute Show metadata attribute object
  
  * object Additional properties
  
  run_as array[string]
  
  A list of users that the API keys can impersonate. NOTE: In Elastic Cloud Serverless, the run-as feature is disabled. For API compatibility, you can still specify an empty run_as field, but a non-empty list will be rejected.
  
  description string
  
  Optional description of the role descriptor
  
  restriction object
  
  details#setActive"> Hide restriction attribute Show restriction attribute object
  
  workflows array[string] Required
  
  A list of workflows to which the API key is restricted. NOTE: In order to use a role restriction, an API key must be created with a single role descriptor.
  
  transient_metadata object
  
  details#setActive"> Hide transient_metadata attribute Show transient_metadata attribute object
  
  * object Additional properties
metadata object
details#setActive"> Hide metadata attribute Show metadata attribute object
- * object Additional properties

Responses

200 application/json
details#setActive"> Hide response attributes Show response attributes object
- api_key string Required
  
  Generated API key.
- expiration number
  
  Expiration in milliseconds for the API key.
- id string Required
- name string Required
- encoded string Required Generally available; Added in 7.16.0
  
  API key credentials which is the base64-encoding of the UTF-8 representation of id and api_key joined by a colon (:).

POST /_security/api_key

POST /_security/api_key
{
  "name": "my-api-key",
  "expiration": "1d",   
  "role_descriptors": { 
    "role-a": {
      "cluster": ["all"],
      "indices": [
        {
          "names": ["index-a*"],
          "privileges": ["read"]
        }
      ]
    },
    "role-b": {
      "cluster": ["all"],
      "indices": [
        {
          "names": ["index-b*"],
          "privileges": ["all"]
        }
      ]
    }
  },
  "metadata": {
    "application": "my-application",
    "environment": {
      "level": 1,
      "trusted": true,
      "tags": ["dev", "staging"]
    }
  }
}

resp = client.security.create_api_key(
    name="my-api-key",
    expiration="1d",
    role_descriptors={
        "role-a": {
            "cluster": [
                "all"
            ],
            "indices": [
                {
                    "names": [
                        "index-a*"
                    ],
                    "privileges": [
                        "read"
                    ]
                }
            ]
        },
        "role-b": {
            "cluster": [
                "all"
            ],
            "indices": [
                {
                    "names": [
                        "index-b*"
                    ],
                    "privileges": [
                        "all"
                    ]
                }
            ]
        }
    },
    metadata={
        "application": "my-application",
        "environment": {
            "level": 1,
            "trusted": True,
            "tags": [
                "dev",
                "staging"
            ]
        }
    },
)

const response = await client.security.createApiKey({
  name: "my-api-key",
  expiration: "1d",
  role_descriptors: {
    "role-a": {
      cluster: ["all"],
      indices: [
        {
          names: ["index-a*"],
          privileges: ["read"],
        },
      ],
    },
    "role-b": {
      cluster: ["all"],
      indices: [
        {
          names: ["index-b*"],
          privileges: ["all"],
        },
      ],
    },
  },
  metadata: {
    application: "my-application",
    environment: {
      level: 1,
      trusted: true,
      tags: ["dev", "staging"],
    },
  },
});

response = client.security.create_api_key(
  body: {
    "name": "my-api-key",
    "expiration": "1d",
    "role_descriptors": {
      "role-a": {
        "cluster": [
          "all"
        ],
        "indices": [
          {
            "names": [
              "index-a*"
            ],
            "privileges": [
              "read"
            ]
          }
        ]
      },
      "role-b": {
        "cluster": [
          "all"
        ],
        "indices": [
          {
            "names": [
              "index-b*"
            ],
            "privileges": [
              "all"
            ]
          }
        ]
      }
    },
    "metadata": {
      "application": "my-application",
      "environment": {
        "level": 1,
        "trusted": true,
        "tags": [
          "dev",
          "staging"
        ]
      }
    }
  }
)

$resp = $client->security()->createApiKey([
    "body" => [
        "name" => "my-api-key",
        "expiration" => "1d",
        "role_descriptors" => [
            "role-a" => [
                "cluster" => array(
                    "all",
                ),
                "indices" => array(
                    [
                        "names" => array(
                            "index-a*",
                        ),
                        "privileges" => array(
                            "read",
                        ),
                    ],
                ),
            ],
            "role-b" => [
                "cluster" => array(
                    "all",
                ),
                "indices" => array(
                    [
                        "names" => array(
                            "index-b*",
                        ),
                        "privileges" => array(
                            "all",
                        ),
                    ],
                ),
            ],
        ],
        "metadata" => [
            "application" => "my-application",
            "environment" => [
                "level" => 1,
                "trusted" => true,
                "tags" => array(
                    "dev",
                    "staging",
                ),
            ],
        ],
    ],
]);

curl -X POST -H "Authorization: ApiKey $ELASTIC_API_KEY" -H "Content-Type: application/json" -d '{"name":"my-api-key","expiration":"1d","role_descriptors":{"role-a":{"cluster":["all"],"indices":[{"names":["index-a*"],"privileges":["read"]}]},"role-b":{"cluster":["all"],"indices":[{"names":["index-b*"],"privileges":["all"]}]}},"metadata":{"application":"my-application","environment":{"level":1,"trusted":true,"tags":["dev","staging"]}}}' "$ELASTICSEARCH_URL/_security/api_key"

client.security().createApiKey(c -> c
    .expiration(e -> e
        .time("1d")
    )
    .metadata(Map.of("environment", JsonData.fromJson("{\"level\":1,\"trusted\":true,\"tags\":[\"dev\",\"staging\"]}"),"application", JsonData.fromJson("\"my-application\"")))
    .name("my-api-key")
    .roleDescriptors(Map.of("role-b", RoleDescriptor.of(r -> r
            .cluster("all")
            .indices(i -> i
                .names("index-b*")
                .privileges("all")
            )),"role-a", RoleDescriptor.of(r -> r
            .cluster("all")
            .indices(i -> i
                .names("index-a*")
                .privileges("read")
            ))))
);

Request example

Run `POST /_security/api_key` to create an API key. If `expiration` is not provided, the API keys do not expire. If `role_descriptors` is not provided, the permissions of the authenticated user are applied.

{
  "name": "my-api-key",
  "expiration": "1d",   
  "role_descriptors": { 
    "role-a": {
      "cluster": ["all"],
      "indices": [
        {
          "names": ["index-a*"],
          "privileges": ["read"]
        }
      ]
    },
    "role-b": {
      "cluster": ["all"],
      "indices": [
        {
          "names": ["index-b*"],
          "privileges": ["all"]
        }
      ]
    }
  },
  "metadata": {
    "application": "my-application",
    "environment": {
      "level": 1,
      "trusted": true,
      "tags": ["dev", "staging"]
    }
  }
}

Response examples (200)

A successful response from `POST /_security/api_key`.

{
  "id": "VuaCfGcBCdbkQm-e5aOx",        
  "name": "my-api-key",
  "expiration": 1544068612110,         
  "api_key": "ui2lp2axTNmsyakw9tvNnw", 
  "encoded": "VnVhQ2ZHY0JDZGJrUW0tZTVhT3g6dWkybHAyYXhUTm1zeWFrdzl0dk5udw=="  
}

Create an API key Generally available; Added in 6.7.0

highlight#highlightFromAnchor" href="#topic-required-authorization"> Required authorization

Query parameters

Body Required

names string | array[string] Required

query string | object

names string | array[string] Required

query string | object

global array[object] | object

Responses