---
title: Elastic Cloud API keys
description: Elastic Cloud API keys allow you to programmatically access the following resources: Elastic Cloud APIs, Elastic Cloud Serverless APIs, serverless: ga...
url: https://www.elastic.co/elastic/docs-builder/docs/3028/deploy-manage/api-keys/elastic-cloud-api-keys
products:
  - Elastic Cloud Hosted
applies_to:
  - Elastic Cloud Serverless: Generally available
  - Elastic Cloud Hosted: Generally available
---

# Elastic Cloud API keys
Elastic Cloud API keys allow you to programmatically access the following resources:
- [Elastic Cloud](https://www.elastic.co/docs/api/doc/cloud/) APIs
- [Elastic Cloud Serverless](https://www.elastic.co/docs/api/doc/elastic-cloud-serverless/) APIs
- <applies-to>Elastic Cloud Serverless: Generally available</applies-to> Optionally, [Elasticsearch Elastic Cloud Serverless](https://www.elastic.co/docs/api/doc/elasticsearch-serverless/) and [Kibana Elastic Cloud Serverless](https://www.elastic.co/docs/api/doc/serverless/)  APIs

Only **Organization owners** can create and manage API keys. An API key is not tied to the user who created it. When creating a key, you assign it specific roles to control its access to organizational resources, including hosted deployments and serverless projects. If a user leaves the organization, the API keys they have created will still function until they expire.
You can have multiple API keys for different purposes, and you can revoke them when you no longer need them. Each organization can have up to 500 active API keys.
<agent-skill url="https://github.com/elastic/agent-skills/tree/main/skills/cloud/access-management">
  A skill is available to help AI agents with this topic.
</agent-skill>

<admonition title="Elasticsearch and Kibana API access" applies-to="Elastic Cloud Hosted: Generally available">
  By default, Elastic Cloud API keys provide access to the APIs for managing your organization, deployments, and projects.In Elastic Cloud Hosted deployments, Elastic Cloud API keys do not provide access to Elasticsearch or Kibana APIs. [Learn how to create an Elasticsearch API key for ECH deployments](https://www.elastic.co/elastic/docs-builder/docs/3028/deploy-manage/api-keys/elasticsearch-api-keys).In the case of Elastic Cloud Serverless projects, you can optionally grant access to [Elasticsearch Serverless](https://www.elastic.co/docs/api/doc/elasticsearch-serverless/) and [Kibana Serverless](https://www.elastic.co/docs/api/doc/serverless/) APIs when you [assign roles to the API key](#roles).
</admonition>


## Create an API key

<tab-set>
  <tab-item title="Using the Elastic Cloud Console">
    1. Log in to the [Elastic Cloud Console](https://cloud.elastic.co?page=docs&placement=docs-body).
    2. Go to your avatar in the upper right corner and choose **Organization**.
    3. On the **API keys** tab of the **Organization** page, click **Create API key**.
    4. On the **Create API key** flyout, you can configure your new key:
       1. Add a unique name for the key.
    2. Set the [expiration](#expiration) for the key.
    3. Assign [roles](#roles).
    5. Click **Create API key**, copy the generated API key, and store it in a safe place. You can also download the key as a CSV file.
    The API key needs to be supplied in the `Authorization` header of a request, in the following format:
    ```sh
    Authorization: ApiKey $EC_API_KEY
    ```
  </tab-item>

  <tab-item title="Using the Elastic Cloud API">
    You can create an API key using the [Create API key](https://www.elastic.co/docs/api/doc/cloud//operation/operation-create-api-key) API.
    ```sh
    curl -XPOST \
    -H 'Content-Type: application/json' \
    -H "Authorization: ApiKey $EC_API_KEY" \
    "https://api.elastic-cloud.com/api/v1/users/auth/keys

    {
      "description": "api-created-key",
      "expiration": "90d",
      "role_assignments": {
        "project": {
          "elasticsearch": [
            {
              "role_id": "elasticsearch-admin",
              "organization_id": "ORG_ID_PLACEHOLDER",
              "all": false,
              "project_ids": [
                "PROJECT_ID_PLACEHOLDER"
              ],
              "application_roles": [ 
                "admin"
              ] 
            }
          ]
        }
      }
    }
    ```
  </tab-item>
</tab-set>


## Revoke an API key

1. Log in to [Elastic Cloud](https://cloud.elastic.co?page=docs&placement=docs-body).
2. From the navigation menu, select **Organization > API keys**.
3. Find the key you want to revoke, and click the trash icon under **Actions**.


## API key expiration

By default, API keys expire after three months. You can set the expiration to a different preset value or to a specific date, up to one year. If you need the key to work indefinitely, you can set its expiration to **Never**.
When an API key is nearing expiration, Elastic sends an email to the creator of the API key and each of the operational contacts. When you use an API key to authenticate, the API response header `X-Elastic-Api-Key-Expiration` indicates the key’s expiration date. You can log this value to detect API keys that are nearing expiration.
When an API key expires, it is automatically removed from the **API keys** tab.

## Applying roles to API keys

Roles grant an API key specific privileges for your Elastic Cloud organization and resources.
You can grant a cloud API key [the same types of roles that you assign to users](/elastic/docs-builder/docs/3028/deploy-manage/users-roles/cloud-organization/user-roles#types-of-roles): organization-level roles, cloud resource access roles, and connected cluster roles.

### Granting Elasticsearch and Kibana API access

<applies-to>
  - Elastic Cloud Serverless: Generally available
</applies-to>

When you grant **Organization owner** access, or **Cloud resource** access for one or more Serverless projects, you can select your level of API access:

| Access                                   | Grant                                                                                                                                                                                                                                                                                                                                                                                                     |
|------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| **Cloud API** (default)                  | Grants access to only [Elastic Cloud](https://www.elastic.co/docs/api/doc/cloud/) and [Elastic Cloud Serverless](https://www.elastic.co/docs/api/doc/elastic-cloud-serverless/) APIs. No direct access to project Elasticsearch or Kibana API endpoints.                                                                                                                                                  |
| **Cloud, Elasticsearch, and Kibana API** | Grants the following access:• [Elastic Cloud](https://www.elastic.co/docs/api/doc/cloud/) and [Elastic Cloud Serverless](https://www.elastic.co/docs/api/doc/elastic-cloud-serverless/) APIs• [Elasticsearch Serverless](https://www.elastic.co/docs/api/doc/elasticsearch-serverless/), and [Kibana Serverless](https://www.elastic.co/docs/api/doc/serverless/) API endpoints for the relevant projects |

Using Elastic Cloud keys for project-level API access, rather than [granting keys from within each Serverless project](https://www.elastic.co/elastic/docs-builder/docs/3028/deploy-manage/api-keys/serverless-project-api-keys), allows you to create keys that can interact with multiple projects, and manage API access centrally from the Elastic Cloud console.
When granting Cloud resource access, you can apply a [predefined role](/elastic/docs-builder/docs/3028/deploy-manage/users-roles/cloud-organization/user-roles#general-assign-user-roles-table) or [custom role](https://www.elastic.co/elastic/docs-builder/docs/3028/deploy-manage/users-roles/serverless-custom-roles) to granularly control access to the specified resources. The selected role controls access to resources in all relevant APIs.

#### Considerations

All roles include permissions for Cloud APIs, as well as Elasticsearch and Kibana APIs. Your **API access** selection limits the role's scope and can disable core functionality:
- **Cloud API access**: The API key can use the role’s permissions for organization-level actions in Elastic Cloud, but it has no direct access to the project itself. Roles designed for project use, such as the Security **Tier 1 analyst** role, have only **Viewer** access to the relevant projects through Elastic Cloud APIs.
  API keys with custom roles are also limited to **Viewer** access in the project.
- **Cloud, Elasticsearch, and Kibana API access**: The API key can use the role’s permissions to fully interact with the project. This selection is required for custom roles to work as intended, because they rely on the Elasticsearch and Kibana serverless APIs for project-level access.

For details on the permissions granted for each role, refer to the [predefined roles table](/elastic/docs-builder/docs/3028/deploy-manage/users-roles/cloud-organization/user-roles#general-assign-user-roles-table).