Grant API key APIedit

Creates an API key on behalf of another user.

Grant API key requestedit

This API is similar to Create API Key API, however it creates the API key for a user that is different than the user that runs the API.

A GrantApiKeyRequest contains authentication credentials for the user on whose behalf the API key will be created, a grant type (which indicates whether the credentials are an access token or a user ID and password), and API key details. The API key details include a name for the API key, an optional list of role descriptors to define permissions, and an optional expiration for the generated API key. If expiration is not provided, by default the API keys do not expire.

CreateApiKeyRequest createApiKeyRequest = new CreateApiKeyRequest(name, roles, expiration, refreshPolicy, metadata);
GrantApiKeyRequest.Grant grant = GrantApiKeyRequest.Grant.passwordGrant(username, password);
GrantApiKeyRequest grantApiKeyRequest = new GrantApiKeyRequest(grant, createApiKeyRequest);

Synchronous executionedit

When executing a GrantApiKeyRequest in the following manner, the client waits for the CreateApiKeyResponse to be returned before continuing with code execution:

CreateApiKeyResponse apiKeyResponse =, RequestOptions.DEFAULT);

Synchronous calls may throw an IOException in case of either failing to parse the REST response in the high-level REST client, the request times out or similar cases where there is no response coming back from the server.

In cases where the server returns a 4xx or 5xx error code, the high-level client tries to parse the response body error details instead and then throws a generic ElasticsearchException and adds the original ResponseException as a suppressed exception to it.

Asynchronous executionedit

Executing a GrantApiKeyRequest can also be done in an asynchronous fashion so that the client can return directly. Users need to specify how the response or potential failures will be handled by passing the request and a listener to the asynchronous grant-api-key method:, RequestOptions.DEFAULT, listener); 

The GrantApiKeyRequest to execute and the ActionListener to use when the execution completes

The asynchronous method does not block and returns immediately. Once it is completed the ActionListener is called back using the onResponse method if the execution successfully completed or using the onFailure method if it failed. Failure scenarios and expected exceptions are the same as in the synchronous execution case.

A typical listener for grant-api-key looks like:

listener = new ActionListener<CreateApiKeyResponse>() {
    public void onResponse(CreateApiKeyResponse createApiKeyResponse) {

    public void onFailure(Exception e) {

Called when the execution is successfully completed.

Called when the whole GrantApiKeyRequest fails.

Grant API key responseedit

The returned CreateApiKeyResponse contains an ID, API key, name for the API key, and optional expiration.

SecureString encoded = apiKeyResponse.getEncoded(); 
Instant apiKeyExpiration = apiKeyResponse.getExpiration(); 

The API key that can be used to authenticate to Elasticsearch.

Expiration details, if the API keys expire.