[role="xpack"] [[security-api-invalidate-api-key]] === Invalidate API key API ++++ Invalidate API key ++++ Invalidates one or more API keys. [[security-api-invalidate-api-key-request]] ==== {api-request-title} `DELETE /_security/api_key` [[security-api-invalidate-api-key-prereqs]] ==== {api-prereq-title} * To use this API, you must have at least the `manage_api_key` cluster privilege. [[security-api-invalidate-api-key-desc]] ==== {api-description-title} The API keys created by <> can be invalidated using this API. [[security-api-invalidate-api-key-request-body]] ==== {api-request-body-title} The following parameters can be specified in the body of a DELETE request and pertain to invalidating api keys: `id`:: (Optional, string) An API key id. This parameter cannot be used when any of `ids`, `name`, `realm_name` or `username` are used. `ids`:: (Optional, array of string) A list of API key ids. This parameter cannot be used when any of `id`, `name`, `realm_name`, `username` are used `name`:: (Optional, string) An API key name. This parameter cannot be used with any of `id`, `realm_name` or `username` are used. `realm_name`:: (Optional, string) The name of an authentication realm. This parameter cannot be used with either `id` or `name` or when `owner` flag is set to `true`. `username`:: (Optional, string) The username of a user. This parameter cannot be used with either `id` or `name` or when `owner` flag is set to `true`. `owner`:: (Optional, Boolean) A boolean flag that can be used to query API keys owned by the currently authenticated user. Defaults to false. The 'realm_name' or 'username' parameters cannot be specified when this parameter is set to 'true' as they are assumed to be the currently authenticated ones. NOTE: At least one of "id", "name", "username" and "realm_name" must be specified if "owner" is "false" (default). [[security-api-invalidate-api-key-response-body]] ==== {api-response-body-title} A successful call returns a JSON structure that contains the ids of the API keys that were invalidated, the ids of the API keys that had already been invalidated, and potentially a list of errors encountered while invalidating specific api keys. [[security-api-invalidate-api-key-example]] ==== {api-examples-title} If you create an API key as follows: [source,console] ------------------------------------------------------------ POST /_security/api_key { "name": "my-api-key" } ------------------------------------------------------------ A successful call returns a JSON structure that provides API key information. For example: [source,console-result] -------------------------------------------------- { "id":"VuaCfGcBCdbkQm-e5aOx", "name":"my-api-key", "api_key":"ui2lp2axTNmsyakw9tvNnw" } -------------------------------------------------- // TESTRESPONSE[s/VuaCfGcBCdbkQm-e5aOx/$body.id/] // TESTRESPONSE[s/ui2lp2axTNmsyakw9tvNnw/$body.api_key/] The following example invalidates the API key identified by specified `id` immediately: [source,console] -------------------------------------------------- DELETE /_security/api_key { "id" : "VuaCfGcBCdbkQm-e5aOx" } -------------------------------------------------- // TEST[s/VuaCfGcBCdbkQm-e5aOx/$body.id/] // TEST[continued] The above request can also be performed using the `ids` field which takes a list of API keys for bulk invalidation: [source,console] -------------------------------------------------- DELETE /_security/api_key { "ids" : [ "VuaCfGcBCdbkQm-e5aOx" ] } -------------------------------------------------- The following example invalidates the API key identified by specified `name` immediately: [source,console] -------------------------------------------------- DELETE /_security/api_key { "name" : "my-api-key" } -------------------------------------------------- The following example invalidates all API keys for the `native1` realm immediately: [source,console] -------------------------------------------------- DELETE /_security/api_key { "realm_name" : "native1" } -------------------------------------------------- The following example invalidates all API keys for the user `myuser` in all realms immediately: [source,console] -------------------------------------------------- DELETE /_security/api_key { "username" : "myuser" } -------------------------------------------------- The following example invalidates the API key identified by the specified `id` if it is owned by the currently authenticated user immediately: [source,console] -------------------------------------------------- DELETE /_security/api_key { "id" : "VuaCfGcBCdbkQm-e5aOx", "owner" : "true" } -------------------------------------------------- The following example invalidates all API keys owned by the currently authenticated user immediately: [source,console] -------------------------------------------------- DELETE /_security/api_key { "owner" : "true" } -------------------------------------------------- Finally, the following example invalidates all API keys for the user `myuser` in the `native1` realm immediately: [source,console] -------------------------------------------------- DELETE /_security/api_key { "username" : "myuser", "realm_name" : "native1" } -------------------------------------------------- [source,js] -------------------------------------------------- { "invalidated_api_keys": [ <1> "api-key-id-1" ], "previously_invalidated_api_keys": [ <2> "api-key-id-2", "api-key-id-3" ], "error_count": 2, <3> "error_details": [ <4> { "type": "exception", "reason": "error occurred while invalidating api keys", "caused_by": { "type": "illegal_argument_exception", "reason": "invalid api key id" } }, { "type": "exception", "reason": "error occurred while invalidating api keys", "caused_by": { "type": "illegal_argument_exception", "reason": "invalid api key id" } } ] } -------------------------------------------------- // NOTCONSOLE <1> The IDs of the API keys that were invalidated as part of this request. <2> The IDs of the API keys that were already invalidated. <3> The number of errors that were encountered when invalidating the API keys. <4> Details about these errors. This field is not present in the response when `error_count` is 0.