Get a token
Added in 5.5.0
Create a bearer token for access without requiring basic authentication.
The tokens are created by the Elasticsearch Token Service, which is automatically enabled when you configure TLS on the HTTP interface.
Alternatively, you can explicitly enable the xpack.security.authc.token.enabled setting.
When you are running in production mode, a bootstrap check prevents you from enabling the token service unless you also enable TLS on the HTTP interface.
The get token API takes the same parameters as a typical OAuth 2.0 token API except for the use of a JSON request body.
A successful get token API call returns a JSON structure that contains the access token, the amount of time (seconds) that the token expires in, the type, and the scope if available.
The tokens returned by the get token API have a finite period of time for which they are valid and after that time period, they can no longer be used.
That time period is defined by the xpack.security.authc.token.timeout setting.
If you want to invalidate a token immediately, you can do so by using the invalidate token API.
Body
Required
-
grant_type
string Values are
password,client_credentials,_kerberos, orrefresh_token. -
scope
string The scope of the token. Currently tokens are only issued for a scope of FULL regardless of the value sent with the request.
-
password
string -
kerberos_ticket
string The base64 encoded kerberos ticket. If you specify the
_kerberosgrant type, this parameter is required. This parameter is not valid with any other supported grant type. -
refresh_token
string The string that was returned when you created the token, which enables you to extend its life. If you specify the
refresh_tokengrant type, this parameter is required. This parameter is not valid with any other supported grant type. -
username
string
curl \
--request POST http://api.example.com/_security/oauth2/token \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--data '{"grant_type":"password","scope":"string","password":"string","kerberos_ticket":"string","refresh_token":"string","username":"string"}'{
"grant_type": "password",
"scope": "string",
"password": "string",
"kerberos_ticket": "string",
"refresh_token": "string",
"username": "string"
}{
"access_token": "string",
"expires_in": 42.0,
"scope": "string",
"type": "string",
"refresh_token": "string",
"kerberos_authentication_response_token": "string",
"additionalProperty1": {
"email": "string",
"full_name": "string",
"metadata": {
"additionalProperty1": {},
"additionalProperty2": {}
},
"roles": [
"string"
],
"username": "string",
"enabled": true,
"profile_uid": "string",
"authentication_realm": {
"name": "string",
"type": "string"
},
"lookup_realm": {
"name": "string",
"type": "string"
},
"authentication_provider": {
"type": "string",
"name": "string"
},
"authentication_type": "string"
},
"additionalProperty2": {
"email": "string",
"full_name": "string",
"metadata": {
"additionalProperty1": {},
"additionalProperty2": {}
},
"roles": [
"string"
],
"username": "string",
"enabled": true,
"profile_uid": "string",
"authentication_realm": {
"name": "string",
"type": "string"
},
"lookup_realm": {
"name": "string",
"type": "string"
},
"authentication_provider": {
"type": "string",
"name": "string"
},
"authentication_type": "string"
}
}