Skip to content

docs(motlp): add Authentication section with ingest API key examples #571

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
alexandra5000 wants to merge 3 commits into
base: main
Choose a base branch
from
+59 −0
Open

docs(motlp): add Authentication section with ingest API key examples #571

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
03050bb
Add Authentication section to mOTLP reference docs
alexandra5000 Mar 26, 2026
b121ca1
Fix broken API link in motlp.md Authentication section
alexandra5000 Mar 27, 2026
d30d1e4
Merge remote-tracking branch 'upstream/main' into motlp-ingest-api-ke…
alexandra5000 Mar 27, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
59 changes: 59 additions & 0 deletions docs/reference/motlp/index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,65 @@ To use the {{ecloud}} {{motlp}} you need the following:

You don't need APM Server when ingesting data through the Managed OTLP Endpoint. The APM integration (`.apm` endpoint) is a legacy ingest path that translates OTLP telemetry to ECS, whereas {{motlp}} natively ingests OTLP data.

## Authentication

The {{motlp}} authenticates clients using {{es}} API keys with the `ingest` application privilege.

:::{note}
The legacy API keys with the `apm` application privilege continue to work for backward compatibility, but they don't support pipeline-scoped access.
:::

### Create an API key for {{motlp}}

You can create an API key from the {{kib}} UI or using the {{es}} [create API key API](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-api-key).
Copy link
Copy Markdown
Collaborator Author

@alexandra5000 alexandra5000 Mar 27, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For some reason the typical docs link kept failing? URL works, so I left it like that for now.

Copy link
Copy Markdown
Member

@theletterf theletterf Mar 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's because this is the API docs.


#### Unrestricted key

The following is an example of an API key with access to all pipelines:

```bash
POST /_security/api_key
{
"name": "my-motlp-api-key",
"role_descriptors": {
"motlp_write_role": {
"applications": [
{
"application": "ingest",
"privileges": ["write"],
"resources": ["*"]
}
]
}
}
}
```

#### Pipeline-scoped key
Copy link
Copy Markdown
Member

@theletterf theletterf Mar 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suggest putting this and the previous section in dropdowns.


The following is an example of an API key restricted to a specific pipeline. You can use one when you want to limit a client, such as an {{product.elastic-agent}} managed by {{product.fleet}}, to ingesting into a single agent policy pipeline:

```bash
POST /_security/api_key
{
"name": "fleet_agent_policy_123-api-key",
"expiration": "1d",
"role_descriptors": {
"motlp_pipeline_write_role": {
"applications": [
{
"application": "ingest",
"privileges": ["write"],
"resources": ["pipeline:.fleet_agent_policy_1"]
}
]
}
}
}
```

The `pipeline:` prefix in the resource name restricts the key to a named pipeline. To grant access to multiple pipelines, list multiple resources in the `resources` array.

## Send data to the Managed OTLP Endpoint

To send data to Elastic through the {{motlp}}, follow the [Send data to the Elastic Cloud Managed OTLP Endpoint](docs-content://solutions/observability/get-started/quickstart-elastic-cloud-otel-endpoint.md) quickstart.
Expand Down
Loading