APM Server exposes a HTTP endpoint and as with anything that opens ports on your servers, you should be careful about who can connect to it. We recommend using firewall rules to ensure only authorized systems can connect.

There is also the option of setting up SSL to ensure data sent to the APM Server is encrypted.

Secret tokenedit

You can configure a secret token which is sent with every request from the APM agents to the server. This string is used to ensure that only your agents can send data to your APM servers. Both the agents and the APM servers have to be configured with the same secret token.


The usage of a secret token only provides any security when used in combination with having SSL/TLS configured.

SSL/TLS setupedit

To enable SSL/TLS you need a private key and a certificate issued by a certification authority (CA). Then you can specify the path to those files in the configuration properties apm-server.ssl.key and apm-server.ssl.certificate respectively. This will make the APM Server to serve HTTPS requests instead of HTTP. Hence, you also need to enable SSL in the agent. For agent specific details, please check the agent documentation for how to do it.

APM Server and X-Pack securityedit

If you want APM Server to connect to a cluster that has X-Pack security enabled, there are extra configuration steps.

To send data to a secured cluster through the elasticsearch output, APM Server needs to authenticate as a user who can manage index templates, monitor the cluster, create indices, and read, and write to the indices it creates. See Configuring authentication credentials for APM Server.

If encryption is enabled on the cluster, you also need to enable HTTPS in the APM Server configuration. See Configuring APM Server to use encrypted connections.

In addition to configuring authentication credentials for the APM Server itself, you need to grant authorized users permission to access the indices it creates. See Granting users access to APM Server indices.

For more information about X-Pack security, see Securing Elasticsearch and Kibana.