Communication between APM agents and APM Server can be both encrypted and authenticated. Encryption is achievable through SSL/TLS communication.
Authentication can be achieved in two main ways:
Both options can be enabled at the same time, allowing Elastic APM agents to chose whichever mechanism they support. In addition, since both mechanisms involve sending a secret as plain text, they should be used in combination with SSL/TLS encryption.
As soon as an authenticated communication is enabled, requests without a valid token or API key will be denied by APM Server. An exception to this rule can be configured with anonymous authentication, which is useful for APM agents running on the client side, like the Real User Monitoring (RUM) agent.
There is a less straightforward and more restrictive way to authenticate clients through SSL/TLS client authentication, which is currently a mainstream option only for the RUM agent (through the browser) and the Jaeger agent.