Elastic Cloud API keys

Elastic Cloud API keys allow you to programmatically access the following resources:

Elastic Cloud APIs
Elastic Cloud Serverless APIs
Optionally, Elasticsearch Elastic Cloud Serverless and Kibana Elastic Cloud Serverless APIs

Only Organization owners can create and manage API keys. An API key is not tied to the user who created it. When creating a key, you assign it specific roles to control its access to organizational resources, including hosted deployments and serverless projects. If a user leaves the organization, the API keys they have created will still function until they expire.

You can have multiple API keys for different purposes, and you can revoke them when you no longer need them. Each organization can have up to 500 active API keys.

Agent skill available

A skill is available to help AI agents with this topic.

Learn more about agent skills for Elastic

Get the skill

Elasticsearch and Kibana API access

By default, Elastic Cloud API keys provide access to the APIs for managing your organization, deployments, and projects.

In Elastic Cloud Hosted deployments, Elastic Cloud API keys do not provide access to Elasticsearch or Kibana APIs. Learn how to create an Elasticsearch API key for ECH deployments.

In the case of Elastic Cloud Serverless projects, you can optionally grant access to Elasticsearch Serverless and Kibana Serverless APIs when you assign roles to the API key.

Create an API key

Using the Elastic Cloud Console

Log in to the Elastic Cloud Console.
Go to your avatar in the upper right corner and choose Organization.
On the API keys tab of the Organization page, click Create API key.
On the Create API key flyout, you can configure your new key:
1. Add a unique name for the key.
2. Set the expiration for the key.
3. Assign roles.
Click Create API key, copy the generated API key, and store it in a safe place. You can also download the key as a CSV file.

The API key needs to be supplied in the Authorization header of a request, in the following format:

Authorization: ApiKey $EC_API_KEY

Using the Elastic Cloud API

You can create an API key using the Create API key API.

		curl -XPOST \
-H 'Content-Type: application/json' \
-H "Authorization: ApiKey $EC_API_KEY" \
"https://api.elastic-cloud.com/api/v1/users/auth/keys

{
  "description": "api-created-key",
  "expiration": "90d",
  "role_assignments": {
    "project": {
      "elasticsearch": [
        {
          "role_id": "elasticsearch-admin",
          "organization_id": "ORG_ID_PLACEHOLDER",
          "all": false,
          "project_ids": [
            "PROJECT_ID_PLACEHOLDER"
          ],
          "application_roles": [
            "admin"
          ]
        }
      ]
    }
  }
}
		
	

Roles granted for project-level access through the Elasticsearch and Kibana APIs.

Revoke an API key

Log in to Elastic Cloud.
From the navigation menu, select Organization > API keys.
Find the key you want to revoke, and click the trash icon under Actions.

API key expiration

By default, API keys expire after three months. You can set the expiration to a different preset value or to a specific date, up to one year. If you need the key to work indefinitely, you can set its expiration to Never.

When an API key is nearing expiration, Elastic sends an email to the creator of the API key and each of the operational contacts. When you use an API key to authenticate, the API response header X-Elastic-Api-Key-Expiration indicates the key’s expiration date. You can log this value to detect API keys that are nearing expiration.

When an API key expires, it is automatically removed from the API keys tab.

Applying roles to API keys

Roles grant an API key specific privileges for your Elastic Cloud organization and resources.

You can grant a cloud API key the same types of roles that you assign to users: organization-level roles, cloud resource access roles, and connected cluster roles.

Granting Elasticsearch and Kibana API access

When you grant Organization owner access, or Cloud resource access for one or more Serverless projects, you can select your level of API access:

Access	Grant
Cloud API (default)	Grants access to only Elastic Cloud and Elastic Cloud Serverless APIs. No direct access to project Elasticsearch or Kibana API endpoints.
Cloud, Elasticsearch, and Kibana API	Grants the following access: • Elastic Cloud and Elastic Cloud Serverless APIs • Elasticsearch Serverless, and Kibana Serverless API endpoints for the relevant projects

Using Elastic Cloud keys for project-level API access, rather than granting keys from within each Serverless project, allows you to create keys that can interact with multiple projects, and manage API access centrally from the Elastic Cloud console.

When granting Cloud resource access, you can apply a predefined role or custom role to granularly control access to the specified resources. The selected role controls access to resources in all relevant APIs.

Considerations

All roles include permissions for Cloud APIs, as well as Elasticsearch and Kibana APIs. Your API access selection limits the role's scope and can disable core functionality:

Cloud API access: The API key can use the role’s permissions for organization-level actions in Elastic Cloud, but it has no direct access to the project itself. Roles designed for project use, such as the Security Tier 1 analyst role, have only Viewer access to the relevant projects through Elastic Cloud APIs.

API keys with custom roles are also limited to Viewer access in the project.
Cloud, Elasticsearch, and Kibana API access: The API key can use the role’s permissions to fully interact with the project. This selection is required for custom roles to work as intended, because they rely on the Elasticsearch and Kibana serverless APIs for project-level access.

For details on the permissions granted for each role, refer to the predefined roles table.