Revoke an API Key API

Introduced 3.7

Revokes an API key, making it immediately unusable for authentication. This is a soft delete: the key remains visible in list responses with a revoked_at timestamp.

Note the following behavior when revoking API keys:

Revocation is synchronous: the key is broadcasted as invalid to all nodes before the response is returned.
Revoked keys cannot be reactivated.
The key name cannot be reused after revocation.

Endpoints

DELETE /_plugins/_security/api/apitokens/{id}

Path parameters

The following table lists the available path parameters.

Parameter	Data type	Description
`id`	String	The unique identifier of the key to revoke. Required.

Example request

DELETE /_plugins/_security/api/apitokens/DjxGIp4BkXkgMZpmeGvx

Example response

{
  "message": "Token revoked successfully"
}

Endpoints
Path parameters
Example request
Example response

WAS THIS PAGE HELPFUL?

✔ Yes ✖ No

Tell us why

350 characters left

Have a question? Ask us on the OpenSearch forum.

Want to contribute? Edit this page or create an issue.

Revoke an API Key API

Endpoints

Path parameters

Example request

Example response

OpenSearch Links

Get Involved

Resources

Contact Us