Communication between APM agents and APM Server can be both encrypted and authenticated. Encryption is achievable through SSL/TLS communication.
Authentication can be achieved in two main ways:
Both options can be enabled at the same time, allowing Elastic APM agents to chose whichever mechanism they support. In addition, since both mechanisms involve sending a secret as plain text, they should be used in combination with SSL/TLS encryption.
As soon as an authenticated communication is enabled, requests without a valid token or API key will be denied by APM Server. As RUM endpoints cannot be secured through these mechanisms, they are exempt from this rule.
In addition, there is a less straightforward and more restrictive way to authenticate clients through SSL/TLS client authentication, which is currently a mainstream option only for the RUM agent (through the browser) and the Jaeger agent.