Several types of Elasticsearch API keys exist:

• Personal/User API key: allows external services to access the Elastic Stack on behalf of a user.
• Cross-cluster API key: allows other clusters to connect to this cluster.
• Managed API key: created and managed by Kibana to run background tasks.

To manage API keys in Kibana, go to theAPI keys management page in the navigation menu or use theglobal search field.

• To use API keys in Kibana, you must have themanage_security,manage_api_key, or themanage_own_api_key cluster privileges.
• To delete API keys, you must have themanage_api_key ormanage_own_api_key privileges.
• To create or update auser API key, you must have themanage_api_key or themanage_own_api_key privilege.
• To create or update across-cluster API key, you must have themanage_security privilege and an Enterprise license.
• To have a read-only view on the API keys, you must have access to the page and theread_security cluster privilege.

To manage roles, go to theRoles management page using the navigation menu or theglobal search field, or use therole APIs.

Two methods are available to create an API key:

• As a quick option to create a personal API key from anywhere in Kibana:

  1. From theHelp menu (), selectConnection details > API key.
  2. Give the key a name.
  3. SelectCreate API key.

  Your personal API key is created with a default expiration of 90 days from the time of creation. You can manage the key from theAPI Keys page.

• To create a personal or cross-cluster API key with configurable options:

  1. Go to theAPI keys management page in the navigation menu or use theglobal search field.
  2. SelectCreate API key.

From theCreate API key pane, you can configure your new key:

1. Choose to create either a user or a cross-cluster API key.
2. Optionally, set an expiry date. By default the API key will not expire, but it's a good security practice to give the key a limited lifespan.
3. Configure access:
   • For a user API key, you can opt to configure access to specific Elasticsearch APIs and resources by assigning the key with predefined roles or custom privileges. Refer toDefining roles and theCreate API key API documentation to learn more.
   • For a cross-cluster API key, you can control the indices that other clusters have access to. Refer to theCreate cross-cluster API key API documentation to learn more.
4. Add any additional metadata about the API as one or more key-value pairs. Refer to theCreate API key API documentation for examples.

To update an API key, go to theAPI keys management page in the navigation menu or use theglobal search field. From theAPI keys page, click on the name of the key you want to update.

You can't update the name or the type of an API key.

• For a user API key, you can update:

  • The API key's access to Elasticsearch APIs and resources.
  • The metadata associated with the key.

  Refer to theUpdate API key API documentation to learn more.

• For a cross-cluster API key, you can update:

  • The indices that other clusters have access to.
  • The metadata associated with the key.

  Refer to theUpdate cross-cluster API key API documentation to learn more.

TheAPI Keys management page in Kibana lists your API keys, including the name, date created, and status. If an API key expires, its status changes fromActive toExpired.

If you havemanage_security ormanage_api_key permissions, you can view the API keys of all users, and see which API key was created by which user in which realm. If you have only themanage_own_api_key permission, you see only a list of your own keys.

You can delete API keys individually or in bulk, but you need themanage_api_keys ormanage_own_api_key privileges.