elastic · shainaraskas · Jan 13, 2026 · Jan 13, 2026 · Jan 14, 2026
@@ -13,13 +13,15 @@ navigation_title: API keys
 
 API keys are security mechanisms used to authenticate and authorize access to your deployments and {{es}} resources. 
 
-They ensure that only authorized users or applications interact with these resources through [Elastic APIs](https://www.elastic.co/docs/api/).
+They ensure that only authorized users or applications interact with these resources through [Elastic APIs]({{apis}}).
 
 For example, if you extract data from an {{es}} cluster on a daily basis, you might create an API key tied to your credentials, configure it with minimum access, and then put the API credentials into a cron job. Or you might create API keys to automate ingestion of new data from remote sources, without a live user interaction.
 
 Depending on the APIs you want to use, the API keys to create are different, and managed at different locations:
 
-- **[](api-keys/elasticsearch-api-keys.md)**, to use [{{es}}](https://www.elastic.co/docs/api/doc/elasticsearch/) and [{{kib}}](https://www.elastic.co/docs/api/doc/kibana/) APIs, and to manage remote cluster connections.
-- **[](api-keys/serverless-project-api-keys.md)**, to use [{{es}}](https://www.elastic.co/docs/api/doc/elasticsearch-serverless/) and [{{kib}}](https://www.elastic.co/docs/api/doc/serverless/) serverless APIs.
-- **[](api-keys/elastic-cloud-api-keys.md)**, to manage your {{ecloud}} organization, {{ech}} deployments, and serverless projects using the [{{ecloud}}](https://www.elastic.co/docs/api/doc/cloud/) and [{{ecloud}} serverless](https://www.elastic.co/docs/api/doc/elastic-cloud-serverless/) APIs.
-- **[](api-keys/elastic-cloud-enterprise-api-keys.md)**, to manage your {{ece}} platform and deployments using the [{{ece}}](https://www.elastic.co/docs/api/doc/cloud-enterprise/) API.
+| Type | Applicability | Purpose | 
+| --- | --- | --- |
+| [](api-keys/elasticsearch-api-keys.md) | {applies_to}`stack: ga` | • Use [{{es}}]({{es-apis}}) and [{{kib}}]({{kib-apis}}) APIs in stack-versioned deployments, including ECH, ECE, ECK, and self-managed clusters.<br><br>• Manage remote cluster connections. |
+| [](api-keys/serverless-project-api-keys.md) | {applies_to}`serverless: ga`| Use [{{es}}]({{es-serverless-apis}}) and [{{kib}}]({{kib-serverless-apis}}) serverless APIs. |
+| [](api-keys/elastic-cloud-api-keys.md) | {applies_to}`ess: ga` {applies_to}`serverless: ga` | • Manage your {{ecloud}} organization, {{ech}} deployments, and serverless projects using the [{{ecloud}}]({{cloud-apis}}) and [{{ecloud}} serverless]({{cloud-serverless-apis}}) APIs.<br><br>• {applies_to}`serverless: ga` Use [{{es}}]({{es-serverless-apis}}) and [{{kib}}]({{kib-serverless-apis}}) serverless APIs. Using {{ecloud}} keys for project-level API access allows you to create keys that can interact with multiple projects,and manage API access centrally from the {{ecloud}} console. |
+|[](api-keys/elastic-cloud-enterprise-api-keys.md) | {applies_to}`ece: ga` | Manage your {{ece}} platform and deployments using the [{{ece}}]({{ece-apis}}) API. |
@@ -11,7 +11,7 @@ products:
 
 # {{ecloud}} API keys [ec-api-authentication]
 
-{{ecloud}} API keys allow you to use the [{{ecloud}}](https://www.elastic.co/docs/api/doc/cloud/) and [{{ecloud}} serverless](https://www.elastic.co/docs/api/doc/elastic-cloud-serverless/) APIs.
+{{ecloud}} API keys allow you to use the [{{ecloud}}]({{cloud-apis}}) and [{{ecloud}} serverless]({{cloud-serverless-apis}}) APIs.
 
 With a valid {{ecloud}} API key, you can access the API from its base URL at `api.elastic-cloud.com`.
 

@@ -11,10 +11,15 @@ products:
 
 Several types of {{es}} API keys exist:
 
-* **Personal/User** API key: allows external services to access the {{stack}} on behalf of a user.
+* **Personal/User** API key: allows external services to access the {{stack}}, including the [{{es}}]({{es-apis}}) and [{{kib}}]({{kib-apis}}) APIs, on behalf of a user.
 * **Cross-cluster** API key: allows other clusters to connect to this cluster.
 * **Managed** API key: created and managed by {{kib}} to run background tasks.
 
+:::{tip}
+:applies_to: serverless:
+To create equivalent keys for {{serverless-full}} projects, refer to [](serverless-project-api-keys.md). For Serverless projects, you can also create [{{ecloud}} API keys](/deploy-manage/api-keys/elastic-cloud-api-keys.md) that include access to {{es}} and {{kib}} APIs. 
+:::
+
 To manage API keys in {{kib}}, go to the **API keys** management page in the navigation menu or use the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md).
 
 ![API Keys UI](/deploy-manage/images/kibana-api-keys.png "")

@@ -9,19 +9,22 @@ products:
 
 # Serverless project API keys [api-keys]
 
-In serverless projects, the following types of API keys exist:
+In Serverless projects, the following types of API keys exist:
 
-- **Personal** API keys, that you can create to allow external services to access your serverless project on behalf of a user.
+- **Personal** API keys, that you can create to allow external services to access your serverless project, including the [{{es}}]({{es-apis}}) and [{{kib}}]({{kib-apis}}) APIs, on behalf of a user.
 - **Managed** API keys, created and managed by {{kib}} to correctly run background tasks.
 
-You can manage your keys in **{{project-settings}} → {{manage-app}} → API keys**:
+:::{admonition} Manage serverless project API access using {{ecloud}} API keys
+As an alternative to using Serverless project API keys, which are tied to a single project, you can create [{{ecloud}} API keys](/deploy-manage/api-keys/elastic-cloud-api-keys.md) that include access to projects' {{es}} and {{kib}} APIs. This allows you to create keys that can interact with multiple projects, and manage API access centrally from the {{ecloud}} console.
+:::
+
+To manage API keys in {{kib}}, go to the **API keys** management page in the navigation menu or use the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md).
 
 :::{image} /deploy-manage/images/serverless-api-key-management.png
 :alt: API keys UI
 :screenshot:
 :::
 
-
 ## Create an API key [api-keys-create-an-api-key]
 
 In **API keys**, click **Create API key**:
@@ -44,8 +47,6 @@ API keys are intended for programmatic access. Don’t use API keys to authentic
 
 ::::
 
-
-
 ### Control security privileges [api-keys-restrict-privileges]
 
 When you create or update an API key, use **Control security privileges** to configure access to specific {{es}} APIs and resources. Define the permissions using a JSON `role_descriptors` object, where you specify one or more roles and the associated privileges.
@@ -74,12 +75,10 @@ For example, the following `role_descriptors` object defines a `books-read-only`
 
 For the `role_descriptors` object schema, check out the [`/_security/api_key` endpoint](https://www.elastic.co/docs/api/doc/elasticsearch-serverless/operation/operation-security-create-api-key) docs. For supported privileges, check [Security privileges](elasticsearch://reference/elasticsearch/security-privileges.md#privileges-list-indices).
 
-
 ## Update an API key [api-keys-update-an-api-key]
 
 In **API keys**, click on the name of the key. You can update only **Restrict privileges** and **Include metadata**.
 
-
 ## View and delete API keys [api-keys-view-and-delete-api-keys]
 
 The **API keys** app lists your API keys, including the name, date created, and status. When API keys expire, the status changes from `Active` to `Expired`.

@@ -3,8 +3,8 @@ mapped_pages:
   - https://www.elastic.co/guide/en/cloud/current/ec-organizations.html
 applies_to:
   deployment:
-    ess: all
-  serverless: all
+    ess: ga
+  serverless: ga
 products:
   - id: cloud-hosted
 ---
@@ -21,7 +21,7 @@ You can perform the following tasks to manage your Cloud organization:
   * [Assign roles and privileges](/deploy-manage/users-roles/cloud-organization/user-roles.md)
   * [Create custom roles](/deploy-manage/users-roles/cloud-enterprise-orchestrator.md) ({{serverless-short}} only)
   * [Configure SAML single sign-on](/deploy-manage/users-roles/cloud-organization/configure-saml-authentication.md) to your organization
-* [Manage API keys](/deploy-manage/api-keys.md) to use with the [{{ecloud}}](https://www.elastic.co/docs/api/doc/cloud), [{{ecloud}} Billing](https://www.elastic.co/docs/api/doc/cloud-billing/), and [{{serverless-full}}](https://www.elastic.co/docs/api/doc/elastic-cloud-serverless) APIs
+* [Manage API keys](/deploy-manage/api-keys.md) to use with the [{{ecloud}}](https://www.elastic.co/docs/api/doc/cloud), [{{ecloud}} Billing](https://www.elastic.co/docs/api/doc/cloud-billing/), and [{{serverless-full}}](https://www.elastic.co/docs/api/doc/elastic-cloud-serverless) APIs. For {{serverless-full}} projects, you can also create {{ecloud}} API keys that grant access to project-level {{es}} and {{kib}} APIs.
 * Configure who receives [operational emails](/deploy-manage/cloud-organization/operational-emails.md) related to your organization
 * Track the [status of {{ecloud}} services](/deploy-manage/cloud-organization/service-status.md).
 

@@ -4,8 +4,8 @@ mapped_pages:
   - https://www.elastic.co/guide/en/cloud/current/ec-organizations.html
 applies_to:
   deployment:
-    ess: all
-  serverless: all
+    ess: ga
+  serverless: ga
 products:
   - id: cloud-hosted
 ---
@@ -22,14 +22,16 @@ You can perform the following tasks to control access to your Cloud organization
   * If you have {{serverless-full}} projects, assign project-level roles and create custom roles.
 * Configure [SAML single sign-on](/deploy-manage/users-roles/cloud-organization/configure-saml-authentication.md) for your organization.
 
+You can also control programmatic access to {{ecloud}}, your deployments, and your projects using [API keys](/deploy-manage/api-keys.md).
+
 :::{tip}
 If you're using {{ech}}, then you can also manage users and control access [at the deployment level](/deploy-manage/users-roles/cluster-or-deployment-auth.md).
 :::
 
 ## Should I use organization-level or deployment-level SSO? [organization-deployment-sso] 
 
 ```{applies_to}
-ess: all
+ess: ga
 ```
 
 :::{include} _snippets/org-vs-deploy-sso.md