- Elastic Docs/
- Solutions and use cases/
- Observability solution/
- Applications and services/
- Application performance monitoring (APM)/
- Work with APM Server/
- Configure
APM agent authorization
Most options in this section are supported by all APM Server deployment methods.
Agent authorization APM Server configuration options.
Example config file:
apm-server: auth: api_key: enabled: true limit: 100 token: "your_secret_token"Configure and customize Fleet-managed APM settings directly in Kibana:
- In Kibana, findFleet in the main menu or use theglobal search field.
- Under theAgent policies tab, select the policy you would like to configure.
- Find the Elastic APM integration and selectActions >Edit integration.
- Look for these settings underAgent authorization.
These settings apply to API key communication between the APM Server and APM Agents.
These settings are different from the API key settings used for Elasticsearch output and monitoring.
Enable API key authorization by settingenabled totrue. By default,enabled is set tofalse, and API key support is disabled. (bool)
| APM Server binary | apm-server.auth.api_key.enabled |
| Fleet-managed | API key for agent authentication |
Not using Elastic APM agents? When enabled, third-party APM agents must include a valid API key in the following format:Authorization: ApiKey <token>. The key must be the base64 encoded representation of the API key’sid:name.
Each unique API key triggers one request to Elasticsearch. This setting restricts the number of unique API keys are allowed per minute. The minimum value for this setting should be the number of API keys configured in your monitored services. The defaultlimit is100. (int)
| APM Server binary | apm-server.auth.api_key.limit |
| Fleet-managed | Number of keys |
Authorization token for sending APM data. The same token must also be set in each APM agent. This token is not used for RUM endpoints. (text)
| APM Server binary | apm-server.auth.api_key.token |
| Fleet-managed | Secret token |
The below options are only supported by the APM Server binary.
All of theapm-server.auth.api_key.elasticsearch.* configurations are optional. If none are set, configuration settings from theapm-server.output section will be reused.
API keys are fetched from Elasticsearch. This configuration needs to point to a secured Elasticsearch cluster that is able to serve API key requests.
The name of the protocol Elasticsearch is reachable on. The options are:http orhttps. The default ishttp. If nothing is configured, configuration settings from theoutput section will be reused.
An optional HTTP path prefix that is prepended to the HTTP API calls. If nothing is configured, configuration settings from theoutput section will be reused.
The URL of the proxy to use when connecting to the Elasticsearch servers. The value may be either a complete URL or a "host[:port]", in which case the "http"scheme is assumed. If nothing is configured, configuration settings from theoutput section will be reused.
The HTTP request timeout in seconds for the Elasticsearch request. If nothing is configured, configuration settings from theoutput section will be reused.
SSL is off by default. Setelasticsearch.protocol tohttps if you want to enablehttps.
Enable custom SSL settings. Set to false to ignore custom SSL settings for secure communication.
Configure SSL verification mode. Ifnone is configured, all server hosts and certificates will be accepted. In this mode, SSL based connections are susceptible to man-in-the-middle attacks.Use only for testing. Default isfull.
List of supported/valid TLS versions. The default value is[TLSv1.1, TLSv1.2, TLSv1.3].
List of root certificates for HTTPS server verifications.
The path to the certificate for SSL client authentication.
The client certificate key used for client authentication. This option is required if certificate is specified.
An optional passphrase used to decrypt an encrypted key stored in the configured key file.
The list of cipher suites to use. The first entry has the highest priority. If this option is omitted, the Go crypto library’s default suites are used (recommended).
The list of curve types for ECDHE (Elliptic Curve Diffie-Hellman ephemeral key exchange).
Configure what types of renegotiation are supported. Valid options arenever,once, andfreely. Default isnever.
never- Disables renegotiation.once- Allows a remote server to request renegotiation once per connection.freely- Allows a remote server to repeatedly request renegotiation.