Get a token
Generally available; Added in 5.5.0
Create a bearer token for access without requiring basic authentication.
The tokens are created by the Elasticsearch Token Service, which is automatically enabled when you configure TLS on the HTTP interface.
Alternatively, you can explicitly enable the xpack.security.authc.token.enabled
setting.
When you are running in production mode, a bootstrap check prevents you from enabling the token service unless you also enable TLS on the HTTP interface.
The get token API takes the same parameters as a typical OAuth 2.0 token API except for the use of a JSON request body.
A successful get token API call returns a JSON structure that contains the access token, the amount of time (seconds) that the token expires in, the type, and the scope if available.
The tokens returned by the get token API have a finite period of time for which they are valid and after that time period, they can no longer be used.
That time period is defined by the xpack.security.authc.token.timeout
setting.
If you want to invalidate a token immediately, you can do so by using the invalidate token API.
Required authorization
- Cluster privileges:
manage_token
Body
Required
-
The type of grant. Supported grant types are:
password
,_kerberos
,client_credentials
, andrefresh_token
.Supported values include:
password
: This grant type implements the Resource Owner Password Credentials Grant of OAuth2. In this grant, a trusted client exchanges the end user's credentials for an access token and (possibly) a refresh token. The request needs to be made by an authenticated user but happens on behalf of another authenticated user (the one whose credentials are passed as request parameters). This grant type is not suitable or designed for the self-service user creation of tokens.client_credentials
: This grant type implements the Client Credentials Grant of OAuth2. It is geared for machine to machine communication and is not suitable or designed for the self-service user creation of tokens. It generates only access tokens that cannot be refreshed. The premise is that the entity that usesclient_credentials
has constant access to a set of (client, not end-user) credentials and can authenticate itself at will._kerberos
: This grant type is supported internally and implements SPNEGO based Kerberos support. The_kerberos
grant type may change from version to version.refresh_token
: This grant type implements the Refresh Token Grant of OAuth2. In this grant a user exchanges a previously issued refresh token for a new access token and a new refresh token.
Values are
password
,client_credentials
,_kerberos
, orrefresh_token
. -
The scope of the token. Currently tokens are only issued for a scope of FULL regardless of the value sent with the request.
-
The user's password. If you specify the
password
grant type, this parameter is required. This parameter is not valid with any other supported grant type. -
The base64 encoded kerberos ticket. If you specify the
_kerberos
grant type, this parameter is required. This parameter is not valid with any other supported grant type. -
The string that was returned when you created the token, which enables you to extend its life. If you specify the
refresh_token
grant type, this parameter is required. This parameter is not valid with any other supported grant type. -
The username that identifies the user. If you specify the
password
grant type, this parameter is required. This parameter is not valid with any other supported grant type.
POST /_security/oauth2/token
{
"grant_type" : "client_credentials"
}
resp = client.security.get_token(
grant_type="client_credentials",
)
const response = await client.security.getToken({
grant_type: "client_credentials",
});
response = client.security.get_token(
body: {
"grant_type": "client_credentials"
}
)
$resp = $client->security()->getToken([
"body" => [
"grant_type" => "client_credentials",
],
]);
curl -X POST -H "Authorization: ApiKey $ELASTIC_API_KEY" -H "Content-Type: application/json" -d '{"grant_type":"client_credentials"}' "$ELASTICSEARCH_URL/_security/oauth2/token"
client.security().getToken(g -> g
.grantType(AccessTokenGrantType.ClientCredentials)
);
{
"grant_type" : "client_credentials"
}
{
"grant_type" : "password",
"username" : "test_admin",
"password" : "x-pack-test-password"
}
{
"access_token" : "dGhpcyBpcyBub3QgYSByZWFsIHRva2VuIGJ1dCBpdCBpcyBvbmx5IHRlc3QgZGF0YS4gZG8gbm90IHRyeSB0byByZWFkIHRva2VuIQ==",
"type" : "Bearer",
"expires_in" : 1200,
"authentication" : {
"username" : "test_admin",
"roles" : [
"superuser"
],
"full_name" : null,
"email" : null,
"metadata" : { },
"enabled" : true,
"authentication_realm" : {
"name" : "file",
"type" : "file"
},
"lookup_realm" : {
"name" : "file",
"type" : "file"
},
"authentication_type" : "realm"
}
}
{
"access_token" : "dGhpcyBpcyBub3QgYSByZWFsIHRva2VuIGJ1dCBpdCBpcyBvbmx5IHRlc3QgZGF0YS4gZG8gbm90IHRyeSB0byByZWFkIHRva2VuIQ==",
"type" : "Bearer",
"expires_in" : 1200,
"authentication" : {
"username" : "test_admin",
"roles" : [
"superuser"
],
"full_name" : null,
"email" : null,
"metadata" : { },
"enabled" : true,
"authentication_realm" : {
"name" : "file",
"type" : "file"
},
"lookup_realm" : {
"name" : "file",
"type" : "file"
},
"authentication_type" : "realm"
}
}