Communication between APM agents and Elastic Agent can be both encrypted and authenticated. It is strongly recommended to use both TLS encryption and authentication as secrets are sent as plain text.
As soon as an authenticated communication is enabled, requests without a valid token or API key will be denied. If both API keys and a secret token are enabled, APM agents can choose whichever mechanism they support.
In some use-cases, like when an APM agent is running on the client side, authentication is not possible. See Anonymous authentication for more information.