Get API key information Generally available; Added in 6.7.0

GET /_security/api_key
Api key auth Basic auth Bearer auth

Retrieves information for one or more API keys. NOTE: If you have only the manage_own_api_key privilege, this API returns only the API keys that you own. If you have read_security, manage_api_key or greater privileges (including manage_security), this API returns all API keys regardless of ownership.

Required authorization

  • Cluster privileges: manage_own_api_key,read_security

Query parameters

  • id string

    An API key id. This parameter cannot be used with any of name, realm_name or username.

  • name string

    An API key name. This parameter cannot be used with any of id, realm_name or username. It supports prefix search with wildcard.

  • owner boolean

    A boolean flag that can be used to query API keys owned by the currently authenticated user. The realm_name or username parameters cannot be specified when this parameter is set to true as they are assumed to be the currently authenticated ones.

  • realm_name string

    The name of an authentication realm. This parameter cannot be used with either id or name or when owner flag is set to true.

  • username string

    The username of a user. This parameter cannot be used with either id or name or when owner flag is set to true.

  • with_limited_by boolean

    Return the snapshot of the owner user's role descriptors associated with the API key. An API key's actual permission is the intersection of its assigned role descriptors and the owner user's role descriptors.

  • active_only boolean

    A boolean flag that can be used to query API keys that are currently active. An API key is considered active if it is neither invalidated, nor expired at query time. You can specify this together with other parameters such as owner or name. If active_only is false, the response will include both active and inactive (expired or invalidated) keys.

  • with_profile_uid boolean

    Determines whether to also retrieve the profile uid, for the API key owner principal, if it exists.

Responses

  • 200 application/json
    Hide response attribute Show response attribute object
    • api_keys array[object] Required
      Hide api_keys attributes Show api_keys attributes object
      • id string Required
      • name string Required
      • type string Required

        Values are rest or cross_cluster.

      • creation number

        Time unit for milliseconds

      • expiration number

        Time unit for milliseconds

      • invalidated boolean Required

        Invalidation status for the API key. If the key has been invalidated, it has a value of true. Otherwise, it is false.

      • invalidation number

        Time unit for milliseconds

      • username string Required
      • realm string Required

        Realm name of the principal for which this API key was created.

      • realm_type string Generally available; Added in 8.14.0

        Realm type of the principal for which this API key was created

      • metadata object Required
        Hide metadata attribute Show metadata attribute object
        • * object Additional properties
      • role_descriptors object

        The role descriptors assigned to this API key when it was created or last updated. An empty role descriptor means the API key inherits the owner user’s permissions.

        Hide role_descriptors attribute Show role_descriptors attribute object
        • * object Additional properties
          Hide * attributes Show * attributes object
          • cluster array[string]

            A list of cluster privileges. These privileges define the cluster level actions that API keys are able to execute.

          • indices array[object]

            A list of indices permissions entries.

          • remote_indices array[object] Generally available; Added in 8.14.0

            A list of indices permissions for remote clusters.

            The subset of index level privileges that can be defined for remote clusters.

            The subset of index level privileges that can be defined for remote clusters.

          • remote_cluster array[object] Generally available; Added in 8.15.0

            A list of cluster permissions for remote clusters. NOTE: This is limited a subset of the cluster permissions.

            The subset of cluster level privileges that can be defined for remote clusters.

            The subset of cluster level privileges that can be defined for remote clusters.

          • global array[object] | object

            An object defining global privileges. A global privilege is a form of cluster privilege that is request-aware. Support for global privileges is currently limited to the management of application privileges.

            One of:
            array-1 array[object] GlobalPrivilege object
          • applications array[object]

            A list of application privilege entries

          • metadata object
            Hide metadata attribute Show metadata attribute object
            • * object Additional properties
          • run_as array[string]

            A list of users that the API keys can impersonate. NOTE: In Elastic Cloud Serverless, the run-as feature is disabled. For API compatibility, you can still specify an empty run_as field, but a non-empty list will be rejected.

          • description string

            Optional description of the role descriptor

          • restriction object
            Hide restriction attribute Show restriction attribute object
            • workflows array[string] Required

              A list of workflows to which the API key is restricted. NOTE: In order to use a role restriction, an API key must be created with a single role descriptor.

          • transient_metadata object
            Hide transient_metadata attribute Show transient_metadata attribute object
            • * object Additional properties
      • limited_by array[object] Generally available; Added in 8.5.0

        The owner user’s permissions associated with the API key. It is a point-in-time snapshot captured at creation and subsequent updates. An API key’s effective permissions are an intersection of its assigned privileges and the owner user’s permissions.

        Hide limited_by attribute Show limited_by attribute object
        • * object Additional properties
          Hide * attributes Show * attributes object
          • cluster array[string]

            A list of cluster privileges. These privileges define the cluster level actions that API keys are able to execute.

          • indices array[object]

            A list of indices permissions entries.

          • remote_indices array[object] Generally available; Added in 8.14.0

            A list of indices permissions for remote clusters.

          • remote_cluster array[object] Generally available; Added in 8.15.0

            A list of cluster permissions for remote clusters. NOTE: This is limited a subset of the cluster permissions.

          • global
          • applications array[object]

            A list of application privilege entries

          • metadata object
          • run_as array[string]

            A list of users that the API keys can impersonate. NOTE: In Elastic Cloud Serverless, the run-as feature is disabled. For API compatibility, you can still specify an empty run_as field, but a non-empty list will be rejected.

          • description string

            Optional description of the role descriptor

          • restriction object
          • transient_metadata object
      • access object
        Hide access attributes Show access attributes object
        • replication array[object]

          A list of indices permission entries for cross-cluster replication.

          Hide replication attributes Show replication attributes object
          • names
          • allow_restricted_indices boolean

            This needs to be set to true if the patterns in the names field should cover system indices.

        • search array[object]

          A list of indices permission entries for cross-cluster search.

          Hide search attributes Show search attributes object
          • field_security object
          • names
          • query
          • allow_restricted_indices boolean Generally available

            Set to true if using wildcard or regular expressions for patterns that cover restricted indices. Implicitly, restricted indices have limited privileges that can cause pattern tests to fail. If restricted indices are explicitly included in the names list, Elasticsearch checks privileges against these indices regardless of the value set for allow_restricted_indices.

      • profile_uid string Generally available; Added in 8.14.0

        The profile uid for the API key owner principal, if requested and if it exists

      • _sort array[number | string | boolean | null]

        A field value.
GET /_security/api_key 
GET /_security/api_key?username=myuser&realm_name=native1

resp = client.security.get_api_key(
    username="myuser",
    realm_name="native1",
)
const response = await client.security.getApiKey({
  username: "myuser",
  realm_name: "native1",
});
response = client.security.get_api_key(
  username: "myuser",
  realm_name: "native1"
)
$resp = $client->security()->getApiKey([
    "username" => "myuser",
    "realm_name" => "native1",
]);
curl -X GET -H "Authorization: ApiKey $ELASTIC_API_KEY" "$ELASTICSEARCH_URL/_security/api_key?username=myuser&realm_name=native1"
Response examples (200)
A successful response from `GET /_security/api_key?id=VuaCfGcBCdbkQm-e5aOx&with_limited_by=true`. 
{
  "api_keys": [ 
    {
      "id": "VuaCfGcBCdbkQm-e5aOx", 
      "name": "my-api-key", 
      "creation": 1548550550158, 
      "expiration": 1548551550158, 
      "invalidated": false, 
      "username": "myuser", 
      "realm": "native1", 
      "realm_type": "native",
      "metadata": { 
        "application": "myapp"
      },
      "role_descriptors": { }, 
      "limited_by": [  
        {
          "role-power-user": {
            "cluster": [
              "monitor"
            ],
            "indices": [
              {
                "names": [
                  "*"
                ],
                "privileges": [
                  "read"
                ],
                "allow_restricted_indices": false
              }
            ],
            "applications": [ ],
            "run_as": [ ],
            "metadata": { },
            "transient_metadata": {
              "enabled": true
            }
          }
        }
      ]
    }
  ]
}
A successful response from `GET /_security/api_key?username=myuser&realm_name=native1`. The response contains all API keys for the user `myuser` in the `native1` realm. 
{
  "api_keys": [
    {
      "id": "0GF5GXsBCXxz2eDxWwFN",
      "name": "hadoop_myuser_key",
      "creation": 1548550550158,
      "expiration": 1548551550158,
      "invalidated": false,
      "username": "myuser",
      "realm": "native1",
      "realm_type": "native",
      "metadata": {
        "application": "myapp"
      },
      "role_descriptors": {
        "role-a": {
          "cluster": [
            "monitor"
          ],
          "indices": [
            {
              "names": [
                "index-a"
              ],
              "privileges": [
                "read"
              ],
              "allow_restricted_indices": false
            }
          ],
          "applications": [ ],
          "run_as": [ ],
          "metadata": { },
          "transient_metadata": {
            "enabled": true
          }
        }
      }
    },
    {
      "id": "6wHJmcQpReKBa42EHV5SBw",
      "name": "api-key-name-2",
      "creation": 1548550550158,
      "invalidated": false,
      "username": "user-y",
      "realm": "realm-2",
      "metadata": {},
      "role_descriptors": { }
    }
  ]
}