# Create a cross-cluster API key **POST /_security/cross_cluster/api_key** Create an API key of the `cross_cluster` type for the API key based remote cluster access. A `cross_cluster` API key cannot be used to authenticate through the REST interface. IMPORTANT: To authenticate this request you must use a credential that is not an API key. Even if you use an API key that has the required privilege, the API returns an error. Cross-cluster API keys are created by the Elasticsearch API key service, which is automatically enabled. NOTE: Unlike REST API keys, a cross-cluster API key does not capture permissions of the authenticated user. The API key’s effective permission is exactly as specified with the `access` property. A successful request returns a JSON structure that contains the API key, its unique ID, and its name. If applicable, it also returns expiration information for the API key in milliseconds. By default, API keys never expire. You can specify expiration information when you create the API keys. Cross-cluster API keys can only be updated with the update cross-cluster API key API. Attempting to update them with the update REST API key API or the bulk update REST API keys API will result in an error. ## Required authorization * Cluster privileges: `manage_security` [External documentation](https://www.elastic.co/docs/deploy-manage/remote-clusters/remote-clusters-api-key) ## Servers - http://api.example.com: http://api.example.com () ## Authentication methods - Api key auth - Basic auth - Bearer auth ## Parameters ## Body parameters Content-type: application/json - **access** (object) The access to be granted to this API key. The access is composed of permissions for cross-cluster search and cross-cluster replication. At least one of them must be specified. NOTE: No explicit privileges should be specified for either search or replication access. The creation process automatically converts the access specification to a role descriptor which has relevant privileges assigned accordingly. - **expiration** (string) Expiration time for the API key. By default, API keys never expire. - **metadata** (object) Arbitrary metadata that you want to associate with the API key. It supports nested data structure. Within the metadata object, keys beginning with `_` are reserved for system usage. - **name** (string) Specifies the name for this API key. - **certificate_identity** (string) The certificate identity to associate with this API key. This field is used to restrict the API key to connections authenticated by a specific TLS certificate. The value should match the certificate's distinguished name (DN) pattern. ## Responses ### 200: #### Body Parameters: application/json (object) - **api_key** (string) Generated API key. - **expiration** (number) Expiration in milliseconds for the API key. - **id** (string) Unique ID for this API key. - **name** (string) Specifies the name for this API key. - **encoded** (string) API key credentials which is the base64-encoding of the UTF-8 representation of `id` and `api_key` joined by a colon (`:`). [Powered by Bump.sh](https://bump.sh)