Invalidate API keys Added in 6.7.0
This API invalidates API keys created by the create API key or grant API key APIs.
Invalidated API keys fail authentication, but they can still be viewed using the get API key information and query API key information APIs, for at least the configured retention period, until they are automatically deleted.
The manage_api_key
privilege allows deleting any API keys.
The manage_own_api_key
only allows deleting API keys that are owned by the user.
In addition, with the manage_own_api_key
privilege, an invalidation request must be issued in one of the three formats:
- Set the parameter
owner=true
. - Or, set both
username
andrealm_name
to match the user’s identity. - Or, if the request is issued by an API key, that is to say an API key invalidates itself, specify its ID in the
ids
field.
Body Required
-
id string
-
ids array[string]
A list of API key ids. This parameter cannot be used with any of
name
,realm_name
, orusername
. -
name string
-
owner boolean
Can be used to query API keys owned by the currently authenticated user. The
realm_name
orusername
parameters cannot be specified when this parameter is set totrue
as they are assumed to be the currently authenticated ones. -
realm_name string
The name of an authentication realm. This parameter cannot be used with either
ids
orname
, or whenowner
flag is set totrue
. -
username string
curl \
-X DELETE http://api.example.com/_security/api_key \
-H "Content-Type: application/json" \
-d '{"id":"string","ids":["string"],"name":"string","owner":true,"realm_name":"string","username":"string"}'