Invalidate API keys Added in 6.7.0

DELETE /_security/api_key

This API invalidates API keys created by the create API key or grant API key APIs. Invalidated API keys fail authentication, but they can still be viewed using the get API key information and query API key information APIs, for at least the configured retention period, until they are automatically deleted. The manage_api_key privilege allows deleting any API keys. The manage_own_api_key only allows deleting API keys that are owned by the user. In addition, with the manage_own_api_key privilege, an invalidation request must be issued in one of the three formats:

  • Set the parameter owner=true.
  • Or, set both username and realm_name to match the user’s identity.
  • Or, if the request is issued by an API key, that is to say an API key invalidates itself, specify its ID in the ids field.
application/json

Body Required

  • id string
  • ids array[string]

    A list of API key ids. This parameter cannot be used with any of name, realm_name, or username.

  • name string
  • owner boolean

    Can be used to query API keys owned by the currently authenticated user. The realm_name or username parameters cannot be specified when this parameter is set to true as they are assumed to be the currently authenticated ones.

  • The name of an authentication realm. This parameter cannot be used with either ids or name, or when owner flag is set to true.

  • username string

Responses

DELETE /_security/api_key
curl \
 -X DELETE http://api.example.com/_security/api_key \
 -H "Content-Type: application/json" \
 -d '{"id":"string","ids":["string"],"name":"string","owner":true,"realm_name":"string","username":"string"}'