Authenticate a user Added in 5.5.0

GET /_security/_authenticate

Authenticates a user and returns information about the authenticated user. Include the user information in a basic auth header. A successful call returns a JSON structure that shows user information such as their username, the roles that are assigned to the user, any assigned metadata, and information about the realms that authenticated and authorized the user. If the user cannot be authenticated, this API returns a 401 status code.

Responses

  • 200 application/json
    Hide response attributes Show response attributes object
    • api_key object

      Additional properties are allowed.

      Hide api_key attributes Show api_key attributes object
      • creation number

        Creation time for the API key in milliseconds.

      • Expiration time for the API key in milliseconds.

      • id string Required
      • Invalidation status for the API key. If the key has been invalidated, it has a value of true. Otherwise, it is false.

      • name string Required
      • realm string

        Realm name of the principal for which this API key was created.

      • Realm type of the principal for which this API key was created

      • username string
      • The profile uid for the API key owner principal, if requested and if it exists

      • metadata object
        Hide metadata attribute Show metadata attribute object
        • * object Additional properties

          Additional properties are allowed.

      • The role descriptors assigned to this API key when it was created or last updated. An empty role descriptor means the API key inherits the owner user’s permissions.

        Hide role_descriptors attribute Show role_descriptors attribute object
        • * object Additional properties

          Additional properties are allowed.

          Hide * attributes Show * attributes object
          • cluster array[string]

            A list of cluster privileges. These privileges define the cluster level actions that API keys are able to execute.

          • indices array[object]

            A list of indices permissions entries.

            Hide indices attributes Show indices attributes object
            • Additional properties are allowed.

            • names array[string] Required

              A list of indices (or index name patterns) to which the permissions in this entry apply.

            • privileges array[string] Required

              The index level privileges that owners of the role have on the specified indices.

            • Set to true if using wildcard or regular expressions for patterns that cover restricted indices. Implicitly, restricted indices have limited privileges that can cause pattern tests to fail. If restricted indices are explicitly included in the names list, Elasticsearch checks privileges against these indices regardless of the value set for allow_restricted_indices.

          • global array[object] | object

            An object defining global privileges. A global privilege is a form of cluster privilege that is request-aware. Support for global privileges is currently limited to the management of application privileges.

            One of:

            Additional properties are allowed.

          • applications array[object]

            A list of application privilege entries

            Hide applications attributes Show applications attributes object
            • application string Required

              The name of the application to which this entry applies.

            • privileges array[string] Required

              A list of strings, where each element is the name of an application privilege or action.

            • resources array[string] Required

              A list resources to which the privileges are applied.

          • metadata object
            Hide metadata attribute Show metadata attribute object
            • * object Additional properties

              Additional properties are allowed.

          • run_as array[string]

            A list of users that the API keys can impersonate. Note: in Serverless, the run-as feature is disabled. For API compatibility, you can still specify an empty run_as field, but a non-empty list will be rejected.

          • Optional description of the role descriptor

          • Hide transient_metadata attribute Show transient_metadata attribute object
            • * object Additional properties

              Additional properties are allowed.

      • limited_by array[object]

        The owner user’s permissions associated with the API key. It is a point-in-time snapshot captured at creation and subsequent updates. An API key’s effective permissions are an intersection of its assigned privileges and the owner user’s permissions.

        Hide limited_by attribute Show limited_by attribute object
        • * object Additional properties

          Additional properties are allowed.

          Hide * attributes Show * attributes object
          • cluster array[string]

            A list of cluster privileges. These privileges define the cluster level actions that API keys are able to execute.

          • indices array[object]

            A list of indices permissions entries.

            Additional properties are allowed.

          • global array[object] | object

            An object defining global privileges. A global privilege is a form of cluster privilege that is request-aware. Support for global privileges is currently limited to the management of application privileges.

          • applications array[object]

            A list of application privilege entries

            Additional properties are allowed.

          • metadata object
            Hide metadata attribute Show metadata attribute object
            • * object Additional properties

              Additional properties are allowed.

          • run_as array[string]

            A list of users that the API keys can impersonate. Note: in Serverless, the run-as feature is disabled. For API compatibility, you can still specify an empty run_as field, but a non-empty list will be rejected.

          • Optional description of the role descriptor

          • Hide transient_metadata attribute Show transient_metadata attribute object
            • * object Additional properties

              Additional properties are allowed.

      • _sort array[number | string | boolean | null | object]
    • authentication_realm object Required

      Additional properties are allowed.

      Hide authentication_realm attributes Show authentication_realm attributes object
    • lookup_realm object Required

      Additional properties are allowed.

      Hide lookup_realm attributes Show lookup_realm attributes object
    • metadata object Required
      Hide metadata attribute Show metadata attribute object
      • * object Additional properties

        Additional properties are allowed.

    • roles array[string] Required
    • username string Required
    • enabled boolean Required
    • authentication_type string Required
    • token object

      Additional properties are allowed.

      Hide token attributes Show token attributes object
GET /_security/_authenticate
curl \
 -X GET http://api.example.com/_security/_authenticate
Response examples (200)
{
  "api_key": {
    "creation": 42.0,
    "expiration": 42.0,
    "id": "string",
    "invalidated": true,
    "name": "string",
    "realm": "string",
    "realm_type": "string",
    "username": "string",
    "profile_uid": "string",
    "metadata": {
      "additionalProperty1": {},
      "additionalProperty2": {}
    },
    "role_descriptors": {
      "additionalProperty1": {
        "cluster": [
          "string"
        ],
        "indices": [
          {
            "field_security": {},
            "names": [
              "string"
            ],
            "privileges": [
              "string"
            ],
            "allow_restricted_indices": true
          }
        ],
        "global": [
          {}
        ],
        "applications": [
          {
            "application": "string",
            "privileges": [
              "string"
            ],
            "resources": [
              "string"
            ]
          }
        ],
        "metadata": {
          "additionalProperty1": {},
          "additionalProperty2": {}
        },
        "run_as": [
          "string"
        ],
        "description": "string",
        "transient_metadata": {
          "additionalProperty1": {},
          "additionalProperty2": {}
        }
      },
      "additionalProperty2": {
        "cluster": [
          "string"
        ],
        "indices": [
          {
            "field_security": {},
            "names": [
              "string"
            ],
            "privileges": [
              "string"
            ],
            "allow_restricted_indices": true
          }
        ],
        "global": [
          {}
        ],
        "applications": [
          {
            "application": "string",
            "privileges": [
              "string"
            ],
            "resources": [
              "string"
            ]
          }
        ],
        "metadata": {
          "additionalProperty1": {},
          "additionalProperty2": {}
        },
        "run_as": [
          "string"
        ],
        "description": "string",
        "transient_metadata": {
          "additionalProperty1": {},
          "additionalProperty2": {}
        }
      }
    },
    "limited_by": [
      {
        "additionalProperty1": {
          "cluster": [
            "string"
          ],
          "indices": [
            {}
          ],
          "global": [
            {}
          ],
          "applications": [
            {}
          ],
          "metadata": {
            "additionalProperty1": {},
            "additionalProperty2": {}
          },
          "run_as": [
            "string"
          ],
          "description": "string",
          "transient_metadata": {
            "additionalProperty1": {},
            "additionalProperty2": {}
          }
        },
        "additionalProperty2": {
          "cluster": [
            "string"
          ],
          "indices": [
            {}
          ],
          "global": [
            {}
          ],
          "applications": [
            {}
          ],
          "metadata": {
            "additionalProperty1": {},
            "additionalProperty2": {}
          },
          "run_as": [
            "string"
          ],
          "description": "string",
          "transient_metadata": {
            "additionalProperty1": {},
            "additionalProperty2": {}
          }
        }
      }
    ],
    "_sort": [
      42.0
    ]
  },
  "authentication_realm": {
    "name": "string",
    "type": "string"
  },
  "email": "string",
  "full_name": "string",
  "lookup_realm": {
    "name": "string",
    "type": "string"
  },
  "metadata": {
    "additionalProperty1": {},
    "additionalProperty2": {}
  },
  "roles": [
    "string"
  ],
  "username": "string",
  "enabled": true,
  "authentication_type": "string",
  "token": {
    "name": "string",
    "type": "string"
  }
}