elastic · kilfoyle · Jun 18, 2025 · Jun 18, 2025 · Jun 19, 2025 · Jun 19, 2025
@@ -15,7 +15,7 @@ Several types of {{es}} API keys exist:
 * **Cross-cluster** API key: allows other clusters to connect to this cluster.
 * **Managed** API key: created and managed by {{kib}} to run background tasks.
 
-To manage API keys in {{kib}}, go to the **API Keys** management page using the navigation menu or the [global search field](../../explore-analyze/find-and-organize/find-apps-and-objects.md).
+To manage API keys in {{kib}}, go to the **API Keys** management page using the navigation menu (**Management > Stack Management > API Keys**) or the [global search field](../../explore-analyze/find-and-organize/find-apps-and-objects.md).
 
 ![API Keys UI](/deploy-manage/images/kibana-api-keys.png "")
 
@@ -33,23 +33,42 @@ To manage roles, go to the **Roles** management page using the navigation menu o
 
 ## Create an API key [create-api-key]
 
-To create an API key, go to the **API Keys** management page using the navigation menu or the [global search field](../../explore-analyze/find-and-organize/find-apps-and-objects.md), and select **Create API key**.
+Two methods are available to create an API key:
 
-![Create API Key UI](/deploy-manage/images/kibana-create-ccr-api-key.png "")
+* As a quick option to create a personal API key from anywhere in {{kib}}:
+  1. Select the **Help menu (![help icon](/deploy-manage/images/help-icon.svg
+ "")) → Connection details → API key**.
+  1. Give the key a name.
+  1. Select **Create API key**.
+
+  Your personal API key is created with a default expiration of 90 days from the time of creation. You can manage the key from the **API Keys** page.
 
-Refer to the [Create API key](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-api-key) documentation to learn more about creating user API keys.
+* To create a personal or cross-cluster API key with configurable options, go to the **API Keys** page using the navigation menu (**Management > Stack Management > API Keys**) or the [global search field](../../explore-analyze/find-and-organize/find-apps-and-objects.md), and select **Create API key**.
 
-Refer to the [Create cross-cluster API key](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-cross-cluster-api-key) documentation to learn more about creating cross-cluster API keys.
+  ![Create API Key UI](/deploy-manage/images/kibana-create-user-api-key.png "")
 
+  1. Choose to create either a user or a cross-cluster API key.
+  2. Optionally, set an expiry date. By default the API key will not expire, but it's a good security practice to give the key a limited lifespan.
+  3. Configure access:
+    * For a user API key, you can opt to configure access to specific {{es}} APIs and resources by assigning the key with predefined roles or custom privileges. Refer to [Defining roles](/deploy-manage/users-roles/cluster-or-deployment-auth/defining-roles.md) and the [Create API key](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-api-key) API documentation to learn more.
+    * For a cross-cluster API key, you can control the indices that other clusters have access to. Refer to the [Create cross-cluster API key](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-cross-cluster-api-key) API documentation to learn more.
+  4. Add any additional metadata about the API as one or more key-value pairs. Refer to the [Create API key](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-api-key) API documentation for examples.
 
 ## Update an API key [update-api-key]
 
-To update an API key, go to the **API Keys** management page using the navigation menu or the [global search field](../../explore-analyze/find-and-organize/find-apps-and-objects.md), and then click on the name of the key. You cannot update the name or the type of API key.
+To update an API key, go to the **API Keys** management page using the navigation menu (**Management > Stack Management > API Keys**) or the [global search field](../../explore-analyze/find-and-organize/find-apps-and-objects.md), and then click on the name of the key. You cannot update the name or the type of an API key.
 
-Refer to the [Update API key](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-update-api-key) documentation to learn more about updating user API keys.
-
-Refer to the [Update cross-cluster API key](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-update-cross-cluster-api-key) documentation to learn more about updating cross-cluster API keys.
+* For a user API key, you can update:
+  * The API key's access to {{es}} APIs and resources.
+  * The metadata associated with the key.
+
+  Refer to the [Update API key](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-update-api-key) API documentation to learn more.
 
+* For a cross-cluster API key, you can update:
+  * The indices that other clusters have access to.
+  * The metadata associated with the key.
+
+  Refer to the [Update cross-cluster API key](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-update-cross-cluster-api-key) API documentation to learn more.
 
 ## View and delete API keys [view-api-keys]
 

@@ -46,9 +46,9 @@ API keys are intended for programmatic access. Don’t use API keys to authentic
 
 
 
-### Restrict privileges [api-keys-restrict-privileges]
+### Control security privileges [api-keys-restrict-privileges]
 
-When you create or update an API key, use **Restrict privileges** to limit the permissions. Define the permissions using a JSON `role_descriptors` object, where you specify one or more roles and the associated privileges.
+When you create or update an API key, use **Control security privileges** to configure access to specific {{es}} APIs and resources. Define the permissions using a JSON `role_descriptors` object, where you specify one or more roles and the associated privileges.
 
 For example, the following `role_descriptors` object defines a `books-read-only` role that limits the API key to `read` privileges on the `books` index.