Invalidate API keys Added in 6.7.0
This API invalidates API keys created by the create API key or grant API key APIs.
Invalidated API keys fail authentication, but they can still be viewed using the get API key information and query API key information APIs, for at least the configured retention period, until they are automatically deleted.
The manage_api_key privilege allows deleting any API keys.
The manage_own_api_key only allows deleting API keys that are owned by the user.
In addition, with the manage_own_api_key privilege, an invalidation request must be issued in one of the three formats:
- Set the parameter
owner=true. - Or, set both
usernameandrealm_nameto match the user’s identity. - Or, if the request is issued by an API key, that is to say an API key invalidates itself, specify its ID in the
idsfield.
Body Required
-
id string
-
ids array[string]
A list of API key ids. This parameter cannot be used with any of
name,realm_name, orusername. -
name string
-
owner boolean
Can be used to query API keys owned by the currently authenticated user. The
realm_nameorusernameparameters cannot be specified when this parameter is set totrueas they are assumed to be the currently authenticated ones. -
realm_name string
The name of an authentication realm. This parameter cannot be used with either
idsorname, or whenownerflag is set totrue. -
username string
curl \
-X DELETE http://api.example.com/_security/api_key \
-H "Content-Type: application/json" \
-d '{"id":"string","ids":["string"],"name":"string","owner":true,"realm_name":"string","username":"string"}'{
"id": "string",
"ids": [
"string"
],
"name": "string",
"owner": true,
"realm_name": "string",
"username": "string"
}{
"error_count": 42.0,
"error_details": [
{
"type": "string",
"reason": "string",
"stack_trace": "string",
"caused_by": {},
"root_cause": [
{}
],
"suppressed": [
{}
]
}
],
"invalidated_api_keys": [
"string"
],
"previously_invalidated_api_keys": [
"string"
]
}