---
title: Fleet enrollment tokens
description: Create, filter, revoke, and delete Fleet enrollment tokens that enroll Elastic Agents into agent policies, individually or in bulk.
url: https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/6709/reference/fleet/fleet-enrollment-tokens
products:
- Elastic Agent
- Fleet
applies_to:
- Elastic Cloud Serverless: Generally available
- Elastic Stack: Generally available
---
# Fleet enrollment tokens
A Fleet enrollment token (referred to as an `enrollment API key` in the Fleet API documentation) is an Elasticsearch API key that you use to enroll one or more Elastic Agents in Fleet. The enrollment token enrolls the Elastic Agent in a specific agent policy that defines the data to be collected by the agent and which output to use. You can use the token as many times as needed. It remains valid until you revoke or delete it.
The enrollment token is used for the initial communication between Elastic Agent and Fleet Server. After the initial connection request from Elastic Agent, Fleet Server passes a communication API key to the agent. This API key includes only the necessary permissions to communicate with Fleet Server. If the API key is not valid, Fleet Server stops communicating with Elastic Agent.
Depending on the agent policy's output type, Fleet Server also passes additional data to Elastic Agent:
- For the Elasticsearch and remote Elasticsearch outputs, it passes an output API key.
This API key is used to send data to Elasticsearch. It has the minimal permissions needed to ingest all the data specified by the agent policy. If the API key is not valid, Elastic Agent stops ingesting data into Elasticsearch.
- For the Kafka output, it passes authentication parameters.
The authentication parameters are defined in the authentication settings of the Kafka output and are used by Elastic Agent to authenticate with the Kafka cluster before sending data to it.
- For the Logstash output, it passes SSL/TLS configuration details.
The SSL/TLS configuration details such as the SSL certificate authority, the SSL certificate, and the SSL certificate key are defined during Logstash output creation. Elastic Agent uses SSL/TLS client authentication to authenticate with the Logstash pipeline before sending data to it.
Although an API key is generated during Logstash output creation, this key is not passed to Elastic Agent by Fleet Server. If the Logstash pipeline uses the Elasticsearch output, this API key is used by Logstash to authenticate with the Elasticsearch cluster before sending data to it.
## Create enrollment tokens
Create enrollment tokens and use them to enroll Elastic Agents in specific policies.
When you use the Fleet UI to create a new agent policy, Fleet automatically creates an enrollment token for that policy.
To create an enrollment token:
1. In Kibana, find Fleet in the navigation menu or use the [global search field](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/6709/explore-analyze/find-and-organize/find-apps-and-objects).
2. Open the **Enrollment tokens** tab, then click **Create enrollment token**.
3. Name your token and select an agent policy.
The token name you specify must be unique to avoid conflict with any existing API keys.
4. Click **Create enrollment token**.
5. In the list of tokens, click the **Show token** icon `eye` to display the token secret.
All Elastic Agents enrolled with this token use the selected policy unless you assign or enroll them in a different policy.
To learn how to install Elastic Agents and enroll them in Fleet, refer to [Install Elastic Agents](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/6709/reference/fleet/install-elastic-agents).
You can use the Fleet API to get a list of enrollment tokens. For more information, refer to [Fleet enrollment API keys](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-fleet-enrollment-api-keys).
## Filter enrollment tokens
The **Enrollment tokens** tab provides controls to help you find specific tokens:
- Use the search bar to filter tokens using [Kibana Query Language (KQL)](https://docs-v3-preview.elastic.dev/elastic/elasticsearch/tree/main/reference/query-languages/kql).
- Elastic Stack: Planned Use the **Agent policy** dropdown to select one or more policies and show only tokens associated with those policies.
- Elastic Stack: Planned Use the **Active** and **Inactive** filters to show tokens in that status. The **Active** filter is selected by default.
## Revoke enrollment tokens
You can revoke an enrollment token that you no longer want to use to enroll Elastic Agents in an agent policy in Fleet. Revoking an enrollment token invalidates the API key, so you can no longer use this token to enroll agents. Agents that are already enrolled continue to function.
To revoke an enrollment token:
1. In Fleet, open the **Enrollment tokens** tab.
2. Locate the token you want to revoke. Use the [filters](#filter-fleet-enrollment-tokens) if needed.
3. In the **Actions** column for the token:
- Elastic Stack: Planned Click the actions icon `ellipsis`, then select **Revoke**.
- Elastic Stack: Generally available from 9.0 to 9.4 Click the **Revoke token** icon `trash`.
4. In the confirmation dialog, confirm the action.
Elastic Stack: Planned To revoke several tokens in a single operation, refer to [Bulk revoke or delete enrollment tokens](#bulk-revoke-delete-fleet-enrollment-tokens).
Revoking an enrollment token doesn't delete it immediately. Deletion occurs automatically after the duration specified in the Elasticsearch [`xpack.security.authc.api_key.delete.retention_period`](https://docs-v3-preview.elastic.dev/elastic/elasticsearch/tree/main/reference/elasticsearch/configuration-reference/security-settings#api-key-service-settings-delete-retention-period) setting has expired. Refer to [Invalidate API key API](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-invalidate-api-key) for details.
Until the enrollment token is deleted:
- The token name can't be reused when you [create an enrollment token](#create-fleet-enrollment-tokens).
- You can still view the token in the Fleet UI.
- The token is returned by a `GET /api/fleet/enrollment_api_keys` API request. Revoked enrollment tokens are identified by `"active": false`.
## Delete enrollment tokens
- Elastic Cloud Serverless: Generally available
- Elastic Stack: Planned
Deleting an enrollment token invalidates the underlying API key and removes the token document from Elasticsearch.
Tokens that belong to managed or agentless agent policies don't appear on the **Enrollment tokens** tab and can't be managed from the UI.
To delete an enrollment token:
1. In Fleet, open the **Enrollment tokens** tab.
2. Locate the token to delete. Use the [filters](#filter-fleet-enrollment-tokens) if needed.
3. In the **Actions** column for the token, click the actions icon `ellipsis`, then select **Delete token**.
4. In the confirmation dialog, click **Delete token**.
## Revoke or delete multiple enrollment tokens
- Elastic Cloud Serverless: Generally available
- Elastic Stack: Planned
To revoke or delete multiple enrollment tokens at the same time:
1. In Fleet, open the **Enrollment tokens** tab.
2. Use the [filters](#filter-fleet-enrollment-tokens) to narrow the list, if needed.
3. Select the checkboxes for the tokens you want to manage. To select every token that matches the current filters, select the checkbox in the table header.
4. From the **_x_ tokens selected** menu, select **Revoke tokens** or **Delete tokens**.
5. In the confirmation dialog, confirm the action.
A notification reports the number of tokens that were processed successfully and any errors that occurred. Tokens that belong to managed or agentless policies are skipped automatically.
To perform bulk operations programmatically, use the `POST /api/fleet/enrollment_api_keys/_bulk_delete` endpoint. For more information, refer to [Bulk revoke or delete enrollment API keys](https://www.elastic.co/docs/api/doc/kibana/operation/operation-post-fleet-enrollment-api-keys-bulk-delete).