Get API key information | Elasticsearch API

Get API key information Added in 6.7.0

GET /_security/api_key

Retrieves information for one or more API keys. NOTE: If you have only the manage_own_api_key privilege, this API returns only the API keys that you own. If you have read_security, manage_api_key or greater privileges (including manage_security), this API returns all API keys regardless of ownership.

Query parameters

id string

An API key id. This parameter cannot be used with any of name, realm_name or username.
name string

An API key name. This parameter cannot be used with any of id, realm_name or username. It supports prefix search with wildcard.
owner boolean

A boolean flag that can be used to query API keys owned by the currently authenticated user. The realm_name or username parameters cannot be specified when this parameter is set to true as they are assumed to be the currently authenticated ones.
realm_name string

The name of an authentication realm. This parameter cannot be used with either id or name or when owner flag is set to true.
username string

The username of a user. This parameter cannot be used with either id or name or when owner flag is set to true.
with_limited_by boolean

Return the snapshot of the owner user's role descriptors associated with the API key. An API key's actual permission is the intersection of its assigned role descriptors and the owner user's role descriptors.
active_only boolean

A boolean flag that can be used to query API keys that are currently active. An API key is considered active if it is neither invalidated, nor expired at query time. You can specify this together with other parameters such as owner or name. If active_only is false, the response will include both active and inactive (expired or invalidated) keys.
with_profile_uid boolean

Determines whether to also retrieve the profile uid, for the API key owner principal, if it exists.

Responses

200 application/json
Hide response attribute Show response attribute object
- api_keys array[object] Required
  
  Hide api_keys attributes Show api_keys attributes object
  
  id string Required
  
  name string Required
  
  type string Required
  
  Values are rest or cross_cluster.
  
  creation number
  
  Time unit for milliseconds
  
  expiration number
  
  Time unit for milliseconds
  
  invalidated boolean Required
  
  Invalidation status for the API key. If the key has been invalidated, it has a value of true. Otherwise, it is false.
  
  invalidation number
  
  Time unit for milliseconds
  
  username string Required
  
  realm string Required
  
  Realm name of the principal for which this API key was created.
  
  realm_type string
  
  Realm type of the principal for which this API key was created
  
  metadata object Required
  
  Hide metadata attribute Show metadata attribute object
  
  * object Additional properties
  
  Additional properties are allowed.
  
  role_descriptors object
  
  The role descriptors assigned to this API key when it was created or last updated. An empty role descriptor means the API key inherits the owner user’s permissions.
  
  Hide role_descriptors attribute Show role_descriptors attribute object
  
  * object Additional properties
  
  Additional properties are allowed.
  
  Hide * attributes Show * attributes object
  
  cluster array[string]
  
  A list of cluster privileges. These privileges define the cluster level actions that API keys are able to execute.
  
  indices array[object]
  
  A list of indices permissions entries.
  
  Additional properties are allowed.
  
  remote_indices array[object]
  
  A list of indices permissions for remote clusters.
  
  Additional properties are allowed.
  
  remote_cluster array[object]
  
  A list of cluster permissions for remote clusters. Note - this is limited a subset of the cluster permissions.
  
  Additional properties are allowed.
  
  global array[object] | object
  
  An object defining global privileges. A global privilege is a form of cluster privilege that is request-aware. Support for global privileges is currently limited to the management of application privileges.
  
  One of:
  array-1 array[object] _types:GlobalPrivilege object
  
  Additional properties are allowed.
  
  applications array[object]
  
  A list of application privilege entries
  
  Additional properties are allowed.
  
  metadata object
  
  Hide metadata attribute Show metadata attribute object
  
  * object Additional properties
  
  Additional properties are allowed.
  
  run_as array[string]
  
  A list of users that the API keys can impersonate. Note: in Serverless, the run-as feature is disabled. For API compatibility, you can still specify an empty run_as field, but a non-empty list will be rejected.
  
  description string
  
  Optional description of the role descriptor
  
  restriction object
  
  Additional properties are allowed.
  
  Hide restriction attribute Show restriction attribute object
  
  workflows array[string] Required
  
  transient_metadata object
  
  Hide transient_metadata attribute Show transient_metadata attribute object
  
  * object Additional properties
  
  Additional properties are allowed.
  
  limited_by array[object]
  
  The owner user’s permissions associated with the API key. It is a point-in-time snapshot captured at creation and subsequent updates. An API key’s effective permissions are an intersection of its assigned privileges and the owner user’s permissions.
  
  Hide limited_by attribute Show limited_by attribute object
  
  * object Additional properties
  
  Additional properties are allowed.
  
  Hide * attributes Show * attributes object
  
  cluster array[string]
  
  A list of cluster privileges. These privileges define the cluster level actions that API keys are able to execute.
  
  indices array[object]
  
  A list of indices permissions entries.
  
  remote_indices array[object]
  
  A list of indices permissions for remote clusters.
  
  remote_cluster array[object]
  
  A list of cluster permissions for remote clusters. Note - this is limited a subset of the cluster permissions.
  
  global
  
  applications array[object]
  
  A list of application privilege entries
  
  metadata object
  
  run_as array[string]
  
  A list of users that the API keys can impersonate. Note: in Serverless, the run-as feature is disabled. For API compatibility, you can still specify an empty run_as field, but a non-empty list will be rejected.
  
  description string
  
  Optional description of the role descriptor
  
  restriction object
  
  Additional properties are allowed.
  
  transient_metadata object
  
  access object
  
  Additional properties are allowed.
  
  Hide access attributes Show access attributes object
  
  replication array[object]
  
  A list of indices permission entries for cross-cluster replication.
  
  Hide replication attributes Show replication attributes object
  
  names
  
  allow_restricted_indices boolean
  
  This needs to be set to true if the patterns in the names field should cover system indices.
  
  search array[object]
  
  A list of indices permission entries for cross-cluster search.
  
  Hide search attributes Show search attributes object
  
  field_security object
  
  Additional properties are allowed.
  
  names
  
  query
  
  allow_restricted_indices boolean
  
  Set to true if using wildcard or regular expressions for patterns that cover restricted indices. Implicitly, restricted indices have limited privileges that can cause pattern tests to fail. If restricted indices are explicitly included in the names list, Elasticsearch checks privileges against these indices regardless of the value set for allow_restricted_indices.
  
  profile_uid string
  
  The profile uid for the API key owner principal, if requested and if it exists
  
  _sort array[number | string | boolean | null | object]
  
  A field value.
  
  One of:
  _types:FieldValue number _types:FieldValue number _types:FieldValue string _types:FieldValue boolean _types:FieldValue string | null _types:FieldValue object
  
  Additional properties are allowed.

GET /_security/api_key

curl \
 -X GET http://api.example.com/_security/api_key

Response examples (200)

{
  "api_keys": [
    {
      "id": "string",
      "name": "string",
      "type": "rest",
      "": 42.0,
      "invalidated": true,
      "username": "string",
      "realm": "string",
      "realm_type": "string",
      "metadata": {
        "additionalProperty1": {},
        "additionalProperty2": {}
      },
      "role_descriptors": {
        "additionalProperty1": {
          "cluster": [
            "string"
          ],
          "indices": [
            {}
          ],
          "remote_indices": [
            {}
          ],
          "remote_cluster": [
            {}
          ],
          "global": [
            {}
          ],
          "applications": [
            {}
          ],
          "metadata": {
            "additionalProperty1": {},
            "additionalProperty2": {}
          },
          "run_as": [
            "string"
          ],
          "description": "string",
          "restriction": {
            "workflows": [
              "string"
            ]
          },
          "transient_metadata": {
            "additionalProperty1": {},
            "additionalProperty2": {}
          }
        },
        "additionalProperty2": {
          "cluster": [
            "string"
          ],
          "indices": [
            {}
          ],
          "remote_indices": [
            {}
          ],
          "remote_cluster": [
            {}
          ],
          "global": [
            {}
          ],
          "applications": [
            {}
          ],
          "metadata": {
            "additionalProperty1": {},
            "additionalProperty2": {}
          },
          "run_as": [
            "string"
          ],
          "description": "string",
          "restriction": {
            "workflows": [
              "string"
            ]
          },
          "transient_metadata": {
            "additionalProperty1": {},
            "additionalProperty2": {}
          }
        }
      },
      "limited_by": [
        {
          "additionalProperty1": {
            "cluster": [
              "string"
            ],
            "indices": [
              {}
            ],
            "remote_indices": [
              {}
            ],
            "remote_cluster": [
              {}
            ],
            "applications": [
              {}
            ],
            "metadata": {},
            "run_as": [
              "string"
            ],
            "description": "string",
            "restriction": {},
            "transient_metadata": {}
          },
          "additionalProperty2": {
            "cluster": [
              "string"
            ],
            "indices": [
              {}
            ],
            "remote_indices": [
              {}
            ],
            "remote_cluster": [
              {}
            ],
            "applications": [
              {}
            ],
            "metadata": {},
            "run_as": [
              "string"
            ],
            "description": "string",
            "restriction": {},
            "transient_metadata": {}
          }
        }
      ],
      "access": {
        "replication": [
          {
            "allow_restricted_indices": true
          }
        ],
        "search": [
          {
            "field_security": {},
            "allow_restricted_indices": true
          }
        ]
      },
      "profile_uid": "string",
      "_sort": [
        42.0
      ]
    }
  ]
}

Get API key information Added in 6.7.0

Query parameters

Responses

global array[object] | object