Find API keys with a query Generally available; Added in 7.15.0

GET /_security/_query/api_key

Get a paginated list of API keys and their information. You can optionally filter the results with a query.

To use this API, you must have at least the manage_own_api_key or the read_security cluster privileges. If you have only the manage_own_api_key privilege, this API returns only the API keys that you own. If you have the read_security, manage_api_key, or greater privileges (including manage_security), this API returns all API keys regardless of ownership. ##Required authorization

  • Cluster privileges: manage_own_api_key,read_security

Query parameters

  • with_limited_by boolean

    Return the snapshot of the owner user's role descriptors associated with the API key. An API key's actual permission is the intersection of its assigned role descriptors and the owner user's role descriptors (effectively limited by it). An API key cannot retrieve any API key’s limited-by role descriptors (including itself) unless it has manage_api_key or higher privileges.

  • with_profile_uid boolean

    Determines whether to also retrieve the profile UID for the API key owner principal. If it exists, the profile UID is returned under the profile_uid response field for each API key.

  • typed_keys boolean

    Determines whether aggregation names are prefixed by their respective types in the response.

application/json

Body

  • aggregations object

    Any aggregations to run over the corpus of returned API keys. Aggregations and queries work together. Aggregations are computed only on the API keys that match the query. This supports only a subset of aggregation types, namely: terms, range, date_range, missing, cardinality, value_count, composite, filter, and filters. Additionally, aggregations only run over the same subset of fields that query works with.

  • query object
    Hide query attributes Show query attributes object
    • bool object
      Hide bool attributes Show bool attributes object
      • boost number

        Floating point number used to decrease or increase the relevance scores of the query. Boost values are relative to the default value of 1.0. A boost value between 0 and 1.0 decreases the relevance score. A value greater than 1.0 increases the relevance score.

      • _name string

      • filter object | array[object]

        The clause (query) must appear in matching documents. However, unlike must, the score of the query will be ignored.

        One of:
        QueryContainer object array-2 array[object]

        An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.

        Hide attributes Show attributes object
        External documentation
        • bool
        • boosting
        • common object Deprecated
        • combined_fields
        • constant_score
        • dis_max
        • distance_feature
        • exists
        • function_score
        • fuzzy object

          Returns documents that contain terms similar to the search term, as measured by a Levenshtein edit distance.

        • geo_bounding_box
        • geo_distance
        • geo_grid object

          Matches geo_point and geo_shape values that intersect a grid cell from a GeoGrid aggregation.

        • geo_polygon
        • geo_shape
        • has_child
        • has_parent
        • ids
        • intervals object

          Returns documents based on the order and proximity of matching terms.

        • knn
        • match object

          Returns documents that match a provided text, number, date or boolean value. The provided text is analyzed before matching.

        • match_all
        • match_bool_prefix object

          Analyzes its input and constructs a bool query from the terms. Each term except the last is used in a term query. The last term is used in a prefix query.

        • match_none
        • match_phrase object

          Analyzes the text and creates a phrase query out of the analyzed text.

        • match_phrase_prefix object

          Returns documents that contain the words of a provided text, in the same order as provided. The last term of the provided text is treated as a prefix, matching any words that begin with that term.

        • more_like_this
        • multi_match
        • nested
        • parent_id
        • percolate
        • pinned
        • prefix object

          Returns documents that contain a specific prefix in a provided field.

        • query_string
        • range object

          Returns documents that contain terms within a provided range.

        • rank_feature
        • regexp object

          Returns documents that contain terms matching a regular expression.

        • rule
        • script
        • script_score
        • semantic
        • shape
        • simple_query_string
        • span_containing
        • span_field_masking
        • span_first
        • span_multi
        • span_near
        • span_not
        • span_or
        • span_term object

          Matches spans containing a term.

        • span_within
        • sparse_vector
        • term object

          Returns documents that contain an exact term in a provided field. To return a document, the query term must exactly match the queried field's value, including whitespace and capitalization.

        • terms
        • terms_set object

          Returns documents that contain a minimum number of exact terms in a provided field. To return a document, a required number of terms must exactly match the field values, including whitespace and capitalization.

        • text_expansion object Deprecated Generally available; Added in 8.8.0

          Uses a natural language processing model to convert the query text into a list of token-weight pairs which are then used in a query against a sparse vector or rank features field.

        • weighted_tokens object Deprecated Generally available; Added in 8.13.0

          Supports returning text_expansion query results by sending in precomputed tokens with the query.

        • wildcard object

          Returns documents that contain terms matching a wildcard pattern.

        • wrapper
        • type

      • minimum_should_match number | string

        The minimum number of terms that should match as integer, percentage or range

        One of:
        MinimumShouldMatch number MinimumShouldMatch string

      • must object | array[object]

        The clause (query) must appear in matching documents and will contribute to the score.

        One of:
        QueryContainer object array-2 array[object]

        An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.

        Hide attributes Show attributes object
        External documentation
        • bool
        • boosting
        • common object Deprecated
        • combined_fields
        • constant_score
        • dis_max
        • distance_feature
        • exists
        • function_score
        • fuzzy object

          Returns documents that contain terms similar to the search term, as measured by a Levenshtein edit distance.

        • geo_bounding_box
        • geo_distance
        • geo_grid object

          Matches geo_point and geo_shape values that intersect a grid cell from a GeoGrid aggregation.

        • geo_polygon
        • geo_shape
        • has_child
        • has_parent
        • ids
        • intervals object

          Returns documents based on the order and proximity of matching terms.

        • knn
        • match object

          Returns documents that match a provided text, number, date or boolean value. The provided text is analyzed before matching.

        • match_all
        • match_bool_prefix object

          Analyzes its input and constructs a bool query from the terms. Each term except the last is used in a term query. The last term is used in a prefix query.

        • match_none
        • match_phrase object

          Analyzes the text and creates a phrase query out of the analyzed text.

        • match_phrase_prefix object

          Returns documents that contain the words of a provided text, in the same order as provided. The last term of the provided text is treated as a prefix, matching any words that begin with that term.

        • more_like_this
        • multi_match
        • nested
        • parent_id
        • percolate
        • pinned
        • prefix object

          Returns documents that contain a specific prefix in a provided field.

        • query_string
        • range object

          Returns documents that contain terms within a provided range.

        • rank_feature
        • regexp object

          Returns documents that contain terms matching a regular expression.

        • rule
        • script
        • script_score
        • semantic
        • shape
        • simple_query_string
        • span_containing
        • span_field_masking
        • span_first
        • span_multi
        • span_near
        • span_not
        • span_or
        • span_term object

          Matches spans containing a term.

        • span_within
        • sparse_vector
        • term object

          Returns documents that contain an exact term in a provided field. To return a document, the query term must exactly match the queried field's value, including whitespace and capitalization.

        • terms
        • terms_set object

          Returns documents that contain a minimum number of exact terms in a provided field. To return a document, a required number of terms must exactly match the field values, including whitespace and capitalization.

        • text_expansion object Deprecated Generally available; Added in 8.8.0

          Uses a natural language processing model to convert the query text into a list of token-weight pairs which are then used in a query against a sparse vector or rank features field.

        • weighted_tokens object Deprecated Generally available; Added in 8.13.0

          Supports returning text_expansion query results by sending in precomputed tokens with the query.

        • wildcard object

          Returns documents that contain terms matching a wildcard pattern.

        • wrapper
        • type

      • must_not object | array[object]

        The clause (query) must not appear in the matching documents. Because scoring is ignored, a score of 0 is returned for all documents.

        One of:
        QueryContainer object array-2 array[object]

        An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.

        Hide attributes Show attributes object
        External documentation
        • bool
        • boosting
        • common object Deprecated
        • combined_fields
        • constant_score
        • dis_max
        • distance_feature
        • exists
        • function_score
        • fuzzy object

          Returns documents that contain terms similar to the search term, as measured by a Levenshtein edit distance.

        • geo_bounding_box
        • geo_distance
        • geo_grid object

          Matches geo_point and geo_shape values that intersect a grid cell from a GeoGrid aggregation.

        • geo_polygon
        • geo_shape
        • has_child
        • has_parent
        • ids
        • intervals object

          Returns documents based on the order and proximity of matching terms.

        • knn
        • match object

          Returns documents that match a provided text, number, date or boolean value. The provided text is analyzed before matching.

        • match_all
        • match_bool_prefix object

          Analyzes its input and constructs a bool query from the terms. Each term except the last is used in a term query. The last term is used in a prefix query.

        • match_none
        • match_phrase object

          Analyzes the text and creates a phrase query out of the analyzed text.

        • match_phrase_prefix object

          Returns documents that contain the words of a provided text, in the same order as provided. The last term of the provided text is treated as a prefix, matching any words that begin with that term.

        • more_like_this
        • multi_match
        • nested
        • parent_id
        • percolate
        • pinned
        • prefix object

          Returns documents that contain a specific prefix in a provided field.

        • query_string
        • range object

          Returns documents that contain terms within a provided range.

        • rank_feature
        • regexp object

          Returns documents that contain terms matching a regular expression.

        • rule
        • script
        • script_score
        • semantic
        • shape
        • simple_query_string
        • span_containing
        • span_field_masking
        • span_first
        • span_multi
        • span_near
        • span_not
        • span_or
        • span_term object

          Matches spans containing a term.

        • span_within
        • sparse_vector
        • term object

          Returns documents that contain an exact term in a provided field. To return a document, the query term must exactly match the queried field's value, including whitespace and capitalization.

        • terms
        • terms_set object

          Returns documents that contain a minimum number of exact terms in a provided field. To return a document, a required number of terms must exactly match the field values, including whitespace and capitalization.

        • text_expansion object Deprecated Generally available; Added in 8.8.0

          Uses a natural language processing model to convert the query text into a list of token-weight pairs which are then used in a query against a sparse vector or rank features field.

        • weighted_tokens object Deprecated Generally available; Added in 8.13.0

          Supports returning text_expansion query results by sending in precomputed tokens with the query.

        • wildcard object

          Returns documents that contain terms matching a wildcard pattern.

        • wrapper
        • type

      • should object | array[object]

        The clause (query) should appear in the matching document.

        One of:
        QueryContainer object array-2 array[object]

        An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.

        Hide attributes Show attributes object
        External documentation
        • bool
        • boosting
        • common object Deprecated
        • combined_fields
        • constant_score
        • dis_max
        • distance_feature
        • exists
        • function_score
        • fuzzy object

          Returns documents that contain terms similar to the search term, as measured by a Levenshtein edit distance.

        • geo_bounding_box
        • geo_distance
        • geo_grid object

          Matches geo_point and geo_shape values that intersect a grid cell from a GeoGrid aggregation.

        • geo_polygon
        • geo_shape
        • has_child
        • has_parent
        • ids
        • intervals object

          Returns documents based on the order and proximity of matching terms.

        • knn
        • match object

          Returns documents that match a provided text, number, date or boolean value. The provided text is analyzed before matching.

        • match_all
        • match_bool_prefix object

          Analyzes its input and constructs a bool query from the terms. Each term except the last is used in a term query. The last term is used in a prefix query.

        • match_none
        • match_phrase object

          Analyzes the text and creates a phrase query out of the analyzed text.

        • match_phrase_prefix object

          Returns documents that contain the words of a provided text, in the same order as provided. The last term of the provided text is treated as a prefix, matching any words that begin with that term.

        • more_like_this
        • multi_match
        • nested
        • parent_id
        • percolate
        • pinned
        • prefix object

          Returns documents that contain a specific prefix in a provided field.

        • query_string
        • range object

          Returns documents that contain terms within a provided range.

        • rank_feature
        • regexp object

          Returns documents that contain terms matching a regular expression.

        • rule
        • script
        • script_score
        • semantic
        • shape
        • simple_query_string
        • span_containing
        • span_field_masking
        • span_first
        • span_multi
        • span_near
        • span_not
        • span_or
        • span_term object

          Matches spans containing a term.

        • span_within
        • sparse_vector
        • term object

          Returns documents that contain an exact term in a provided field. To return a document, the query term must exactly match the queried field's value, including whitespace and capitalization.

        • terms
        • terms_set object

          Returns documents that contain a minimum number of exact terms in a provided field. To return a document, a required number of terms must exactly match the field values, including whitespace and capitalization.

        • text_expansion object Deprecated Generally available; Added in 8.8.0

          Uses a natural language processing model to convert the query text into a list of token-weight pairs which are then used in a query against a sparse vector or rank features field.

        • weighted_tokens object Deprecated Generally available; Added in 8.13.0

          Supports returning text_expansion query results by sending in precomputed tokens with the query.

        • wildcard object

          Returns documents that contain terms matching a wildcard pattern.

        • wrapper
        • type
    • exists object
      Hide exists attributes Show exists attributes object
      • boost number

        Floating point number used to decrease or increase the relevance scores of the query. Boost values are relative to the default value of 1.0. A boost value between 0 and 1.0 decreases the relevance score. A value greater than 1.0 increases the relevance score.

      • _name string
      • field string Required

        Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.

    • ids object
      Hide ids attributes Show ids attributes object
      • boost number

        Floating point number used to decrease or increase the relevance scores of the query. Boost values are relative to the default value of 1.0. A boost value between 0 and 1.0 decreases the relevance score. A value greater than 1.0 increases the relevance score.

      • _name string

      • values string | array[string]

        One of:
        Id string Ids array[string]
    • match object

      Returns documents that match a provided text, number, date or boolean value. The provided text is analyzed before matching.

    • match_all object
      Hide match_all attributes Show match_all attributes object
      • boost number

        Floating point number used to decrease or increase the relevance scores of the query. Boost values are relative to the default value of 1.0. A boost value between 0 and 1.0 decreases the relevance score. A value greater than 1.0 increases the relevance score.

      • _name string
    • prefix object

      Returns documents that contain a specific prefix in a provided field.

    • range object

      Returns documents that contain terms within a provided range.

    • simple_query_string object
      Hide simple_query_string attributes Show simple_query_string attributes object
      • boost number

        Floating point number used to decrease or increase the relevance scores of the query. Boost values are relative to the default value of 1.0. A boost value between 0 and 1.0 decreases the relevance score. A value greater than 1.0 increases the relevance score.

      • _name string
      • analyzer string

        Analyzer used to convert text in the query string into tokens.

      • analyze_wildcard boolean

        If true, the query attempts to analyze wildcard terms in the query string.

      • auto_generate_synonyms_phrase_query boolean

        If true, the parser creates a match_phrase query for each multi-position token.

      • default_operator string

        Values are and, AND, or, or OR.

      • fields array[string]

        Array of fields you wish to search. Accepts wildcard expressions. You also can boost relevance scores for matches to particular fields using a caret (^) notation. Defaults to the index.query.default_field index setting, which has a default value of *.

      • flags string

        Query flags can be either a single flag or a combination of flags, e.g. OR|AND|PREFIX

        One of:
        SimpleQueryStringFlag string PipeSeparatedFlagsSimpleQueryStringFlag string

        Query flags can be either a single flag or a combination of flags, e.g. OR|AND|PREFIX

        Values are NONE, AND, NOT, OR, PREFIX, PHRASE, PRECEDENCE, ESCAPE, WHITESPACE, FUZZY, NEAR, SLOP, or ALL.

        Query flags can be either a single flag or a combination of flags, e.g. OR|AND|PREFIX

      • fuzzy_max_expansions number

        Maximum number of terms to which the query expands for fuzzy matching.

      • fuzzy_prefix_length number

        Number of beginning characters left unchanged for fuzzy matching.

      • fuzzy_transpositions boolean

        If true, edits for fuzzy matching include transpositions of two adjacent characters (for example, ab to ba).

      • lenient boolean

        If true, format-based errors, such as providing a text value for a numeric field, are ignored.

      • minimum_should_match number | string

        The minimum number of terms that should match as integer, percentage or range

        One of:
        MinimumShouldMatch number MinimumShouldMatch string
      • query string Required

        Query string in the simple query string syntax you wish to parse and use for search.

      • quote_field_suffix string

        Suffix appended to quoted text in the query string.

    • term object

      Returns documents that contain an exact term in a provided field. To return a document, the query term must exactly match the queried field's value, including whitespace and capitalization.

    • terms object
      Hide terms attributes Show terms attributes object
      • boost number

        Floating point number used to decrease or increase the relevance scores of the query. Boost values are relative to the default value of 1.0. A boost value between 0 and 1.0 decreases the relevance score. A value greater than 1.0 increases the relevance score.

      • _name string
    • wildcard object

      Returns documents that contain terms matching a wildcard pattern.

  • from number

    The starting document offset. It must not be negative. By default, you cannot page through more than 10,000 hits using the from and size parameters. To page through more hits, use the search_after parameter.

  • sort string | object | array[string | object]

    One of:
    Field string SortOptions object Sort array[string | object]

    Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.

    One of:
    Field string SortOptions object

    Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.

  • size number

    The number of hits to return. It must not be negative. The size parameter can be set to 0, in which case no API key matches are returned, only the aggregation results. By default, you cannot page through more than 10,000 hits using the from and size parameters. To page through more hits, use the search_after parameter.

  • search_after array[number | string | boolean | null]

    A field value.

Responses

  • 200 application/json
    Hide response attributes Show response attributes object
    • total number Required

      The total number of API keys found.

    • count number Required

      The number of API keys returned in the response.

    • api_keys array[object] Required

      A list of API key information.

      Hide api_keys attributes Show api_keys attributes object
      • id string Required
      • name string Required
      • type string Required

        Values are rest or cross_cluster.

      • creation number

        Time unit for milliseconds

      • expiration number

        Time unit for milliseconds

      • invalidated boolean Required

        Invalidation status for the API key. If the key has been invalidated, it has a value of true. Otherwise, it is false.

      • invalidation number

        Time unit for milliseconds

      • username string Required
      • realm string Required

        Realm name of the principal for which this API key was created.

      • realm_type string Generally available; Added in 8.14.0

        Realm type of the principal for which this API key was created

      • metadata object Required
        Hide metadata attribute Show metadata attribute object
        • * object Additional properties
      • role_descriptors object

        The role descriptors assigned to this API key when it was created or last updated. An empty role descriptor means the API key inherits the owner user’s permissions.

        Hide role_descriptors attribute Show role_descriptors attribute object
        • * object Additional properties
          Hide * attributes Show * attributes object
          • cluster array[string]

            A list of cluster privileges. These privileges define the cluster level actions that API keys are able to execute.

          • indices array[object]

            A list of indices permissions entries.

          • remote_indices array[object] Generally available; Added in 8.14.0

            A list of indices permissions for remote clusters.

          • remote_cluster array[object] Generally available; Added in 8.15.0

            A list of cluster permissions for remote clusters. NOTE: This is limited a subset of the cluster permissions.

          • global array[object] | object

            An object defining global privileges. A global privilege is a form of cluster privilege that is request-aware. Support for global privileges is currently limited to the management of application privileges.

            One of:
            array-1 array[object] GlobalPrivilege object
          • applications array[object]

            A list of application privilege entries

          • metadata object
            Hide metadata attribute Show metadata attribute object
            • * object Additional properties
          • run_as array[string]

            A list of users that the API keys can impersonate. NOTE: In Elastic Cloud Serverless, the run-as feature is disabled. For API compatibility, you can still specify an empty run_as field, but a non-empty list will be rejected.

          • description string

            Optional description of the role descriptor

          • restriction object
            Hide restriction attribute Show restriction attribute object
            • workflows array[string] Required

              A list of workflows to which the API key is restricted. NOTE: In order to use a role restriction, an API key must be created with a single role descriptor.

          • transient_metadata object
            Hide transient_metadata attribute Show transient_metadata attribute object
            • * object Additional properties
      • limited_by array[object] Generally available; Added in 8.5.0

        The owner user’s permissions associated with the API key. It is a point-in-time snapshot captured at creation and subsequent updates. An API key’s effective permissions are an intersection of its assigned privileges and the owner user’s permissions.

        Hide limited_by attribute Show limited_by attribute object
        • * object Additional properties
          Hide * attributes Show * attributes object
          • cluster array[string]

            A list of cluster privileges. These privileges define the cluster level actions that API keys are able to execute.

          • indices array[object]

            A list of indices permissions entries.

          • remote_indices array[object] Generally available; Added in 8.14.0

            A list of indices permissions for remote clusters.

          • remote_cluster array[object] Generally available; Added in 8.15.0

            A list of cluster permissions for remote clusters. NOTE: This is limited a subset of the cluster permissions.

          • global
          • applications array[object]

            A list of application privilege entries

          • metadata object
          • run_as array[string]

            A list of users that the API keys can impersonate. NOTE: In Elastic Cloud Serverless, the run-as feature is disabled. For API compatibility, you can still specify an empty run_as field, but a non-empty list will be rejected.

          • description string

            Optional description of the role descriptor

          • restriction object
          • transient_metadata object
      • access object
        Hide access attributes Show access attributes object
        • replication array[object]

          A list of indices permission entries for cross-cluster replication.

          Hide replication attributes Show replication attributes object
          • names
          • allow_restricted_indices boolean

            This needs to be set to true if the patterns in the names field should cover system indices.

        • search array[object]

          A list of indices permission entries for cross-cluster search.

          Hide search attributes Show search attributes object
          • field_security object
          • names
          • query
          • allow_restricted_indices boolean Generally available

            Set to true if using wildcard or regular expressions for patterns that cover restricted indices. Implicitly, restricted indices have limited privileges that can cause pattern tests to fail. If restricted indices are explicitly included in the names list, Elasticsearch checks privileges against these indices regardless of the value set for allow_restricted_indices.

      • profile_uid string Generally available; Added in 8.14.0

        The profile uid for the API key owner principal, if requested and if it exists

      • _sort array[number | string | boolean | null]

        A field value.

    • aggregations object

      The aggregations result, if requested.
GET /_security/_query/api_key 
GET /_security/_query/api_key?with_limited_by=true
{
  "query": {
    "ids": {
      "values": [
        "VuaCfGcBCdbkQm-e5aOx"
      ]
    }
  }
}
curl \
 --request GET 'http://api.example.com/_security/_query/api_key' \
 --header "Content-Type: application/json" \
 --data '"{\n  \"query\": {\n    \"ids\": {\n      \"values\": [\n        \"VuaCfGcBCdbkQm-e5aOx\"\n      ]\n    }\n  }\n}"'
Request examples
Run `GET /_security/_query/api_key?with_limited_by=true` to retrieve an API key by ID. 
{
  "query": {
    "ids": {
      "values": [
        "VuaCfGcBCdbkQm-e5aOx"
      ]
    }
  }
}
Run `GET /_security/_query/api_key`. Use a `bool` query to issue complex logical conditions and use `from`, `size`, and `sort` to help paginate the result. For example, the API key name must begin with `app1-key-` and must not be `app1-key-01`. It must be owned by a username with the wildcard pattern `org-*-user` and the `environment` metadata field must have a `production` value. The offset to begin the search result is the twentieth (zero-based index) API key. The page size of the response is 10 API keys. The result is first sorted by creation date in descending order, then by name in ascending order. 
{
  "query": {
    "bool": {
      "must": [
        {
          "prefix": {
            "name": "app1-key-" 
          }
        },
        {
          "term": {
            "invalidated": "false" 
          }
        }
      ],
      "must_not": [
        {
          "term": {
            "name": "app1-key-01" 
          }
        }
      ],
      "filter": [
        {
          "wildcard": {
            "username": "org-*-user" 
          }
        },
        {
          "term": {
            "metadata.environment": "production" 
          }
        }
      ]
    }
  },
  "from": 20, 
  "size": 10, 
  "sort": [ 
    { "creation": { "order": "desc", "format": "date_time" } },
    "name"
  ]
}
Run `GET /_security/_query/api_key` to retrieve the API key by name. 
{
  "query": {
    "term": {
      "name": {
        "value": "application-key-1"
      }
    }
  }
}
Response examples (200)
A successful response from `GET /_security/_query/api_key?with_limited_by=true`. The `limited_by` details are the owner user's permissions associated with the API key. It is a point-in-time snapshot captured at creation and subsequent updates. An API key's effective permissions are an intersection of its assigned privileges and the owner user's permissions. 
{
  "api_keys": [
    {
      "id": "VuaCfGcBCdbkQm-e5aOx",
      "name": "application-key-1",
      "creation": 1548550550158,
      "expiration": 1548551550158,
      "invalidated": false,
      "username": "myuser",
      "realm": "native1",
      "realm_type": "native",
      "metadata": {
        "application": "my-application"
      },
      "role_descriptors": { },
      "limited_by": [ 
        {
          "role-power-user": {
            "cluster": [
              "monitor"
            ],
            "indices": [
              {
                "names": [
                  "*"
                ],
                "privileges": [
                  "read"
                ],
                "allow_restricted_indices": false
              }
            ],
            "applications": [ ],
            "run_as": [ ],
            "metadata": { },
            "transient_metadata": {
              "enabled": true
            }
          }
        }
      ]
    }
  ]
}
An abbreviated response from `GET /_security/_query/api_key` that contains a list of matched API keys along with their sort values. The first sort value is creation time, which is displayed in `date_time` format. The second sort value is the API key name. 
{
  "total": 100,
  "count": 10,
  "api_keys": [
    {
      "id": "CLXgVnsBOGkf8IyjcXU7",
      "name": "app1-key-79",
      "creation": 1629250154811,
      "invalidated": false,
      "username": "org-admin-user",
      "realm": "native1",
      "metadata": {
        "environment": "production"
      },
      "role_descriptors": { },
      "_sort": [
        "2021-08-18T01:29:14.811Z",  
        "app1-key-79"  
      ]
    },
    {
      "id": "BrXgVnsBOGkf8IyjbXVB",
      "name": "app1-key-78",
      "creation": 1629250153794,
      "invalidated": false,
      "username": "org-admin-user",
      "realm": "native1",
      "metadata": {
        "environment": "production"
      },
      "role_descriptors": { },
      "_sort": [
        "2021-08-18T01:29:13.794Z",
        "app1-key-78"
      ]
    }
  ]
}
A successful response from `GET /_security/_query/api_key`. It includes the role descriptors that are assigned to each API key when it was created or last updated. Note that an API key's effective permissions are an intersection of its assigned privileges and the point-in-time snapshot of the owner user's permissions. An empty role descriptors object means the API key inherits the owner user's permissions. 
{
  "total": 3,
  "count": 3,
  "api_keys": [ 
    {
      "id": "nkvrGXsB8w290t56q3Rg",
      "name": "my-api-key-1",
      "creation": 1628227480421,
      "expiration": 1629091480421,
      "invalidated": false,
      "username": "elastic",
      "realm": "reserved",
      "realm_type": "reserved",
      "metadata": {
        "letter": "a"
      },
      "role_descriptors": { 
        "role-a": {
          "cluster": [
            "monitor"
          ],
          "indices": [
            {
              "names": [
                "index-a"
              ],
              "privileges": [
                "read"
              ],
              "allow_restricted_indices": false
            }
          ],
          "applications": [ ],
          "run_as": [ ],
          "metadata": { },
          "transient_metadata": {
            "enabled": true
          }
        }
      }
    },
    {
      "id": "oEvrGXsB8w290t5683TI",
      "name": "my-api-key-2",
      "creation": 1628227498953,
      "expiration": 1628313898953,
      "invalidated": false,
      "username": "elastic",
      "realm": "reserved",
      "metadata": {
        "letter": "b"
      },
      "role_descriptors": { } 
    }
  ]
}

Documentation preview

This is a preview of your version @2025-06-09 which is not yet released.

View current documentation