Create a service account token Generally available

PUT /_security/service/{namespace}/{service}/credential/token/{name}
Api key auth Basic auth Bearer auth

Create a service accounts token for access without requiring basic authentication.

NOTE: Service account tokens never expire. You must actively delete them if they are no longer needed.

Required authorization

  • Cluster privileges: manage_service_account
External documentation

Path parameters

  • namespace string Required

    The name of the namespace, which is a top-level grouping of service accounts.

  • service string Required

    The name of the service.

  • name string Required

    The name for the service account token. If omitted, a random name will be generated.

    Token names must be at least one and no more than 256 characters. They can contain alphanumeric characters (a-z, A-Z, 0-9), dashes (-), and underscores (_), but cannot begin with an underscore.

    NOTE: Token names must be unique in the context of the associated service account. They must also be globally unique with their fully qualified names, which are comprised of the service account principal and token name, such as <namespace>/<service>/<token-name>.

Query parameters

  • refresh string

    If true then refresh the affected shards to make this operation visible to search, if wait_for (the default) then wait for a refresh to make this operation visible to search, if false then do nothing with refreshes.

    Values are true, false, or wait_for.

Responses

  • 200 application/json
    Hide response attributes Show response attributes object
    • created boolean Required
    • token object Required
      Hide token attributes Show token attributes object
      • name string Required
      • value string Required
PUT /_security/service/{namespace}/{service}/credential/token/{name} 
curl \
 --request PUT 'http://api.example.com/_security/service/{namespace}/{service}/credential/token/{name}' \
 --header "Authorization: $API_KEY"
Response examples (200)
A successful response from `POST /_security/service/elastic/fleet-server/credential/token/token1`. The response includes the service account token, its name, and its secret value as a bearer token. 
{
  "created": true,
  "token": {
    "name": "token1",
    "value": "AAEAAWVsYXN0aWM...vZmxlZXQtc2VydmVyL3Rva2VuMTo3TFdaSDZ" 
  }
}