Authentication not working and mixed docs over the web

This was great for getting a key but it didn't show me how to use it at all in curl ...

https://www.elastic.co/guide/en/beats/metricbeat/current/beats-api-keys.html

Then I find this
https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-create-api-key.html

so, I in kabana console go get my 'id' which is a weird number(why not use the name which I called 'my_api_key' and instead use my weird id which is 'R7IAE3EB20gJv1tBoxY6'????)

and I go to website and type in my id:apikey to be used and tell website encode base 64.

2 questions

  1. WHY are we encoding a string that is already a string in base64? base 64 is to put bytes into a string so you can put in json or some form of a string(this is backwards and should be fixed)

  2. It's not working with header Www-Authenticate: ApiKey {key} in a curl command

curl -H "Www-Authenticate: ApiKey xxxxxxxxxxxxxxxxxxxxxxx1xNHRjeUcyUQ==" https://669691555a414867xxxxxxxxxxxxxx.us-west1.gcp.cloud.es.io:9243

FAILURE doesn't really tell me much on what I should do:
{"error":{"root_cause":[{"type":"security_exception","reason":"action [cluster:monitor/main] requires authentication","header":{"WWW-Authenticate":["Bearer realm="security"","ApiKey","Basic realm="security" charset="UTF-8""]}}],"type":"security_exception","reason":"action [cluster:monitor/main] requires authentication","header":{"WWW-Authenticate":["Bearer realm="security"","ApiKey","Basic realm="security" charset="UTF-8""]}},"status":401}

oh and I was going off of this too

which also has the WWW-Authenticate: ApiKey in the response for some reason like I didn't supply that?

Hi, thanks for your feedback!

This is not meant to be a generic API key documentation and thus it shows only how to use the API keys with the metricbeat.

This is the correct reference documentation for creating API keys !

  1. You don't actually "get your 'id'", you create an API key.
  2. The API key has a name, an ID and a value. All serve different purposes, the name ID is something you specify to help you identify the API key, the id is something unique that identifies the API key in the system.

Please don't do that. Your API key is your credentials, don't enter them in arbitrary websites, the same way you wouldn't enter your username and password in there. You can base64 encode it locally with i.e. :

echo -n 'theidhere:theapikeyhere' | base64

This mimics the Authorization header where credentials are base64 encoded to allow for non-HTTP-compatible characters in them. We realize this extra step is cumbersome and we are tracking adding support for this here so that we can return the base64 encoded string directly when you create the API key.

The header name is Authorization , not Www-Authenticate, it's shown in the example in the docs you referenced above too, the correct call is :

curl -H 'Authorization: ApiKey xxxxxxxxxxxxxxxxxxxxxxx1xNHRjeUcyUQ==' https://669691555a414867xxxxxxxxxxxxxx.us-west1.gcp.cloud.es.io:9243

Www-Authenticate is a response header , not a request header, and Elasticsearch is using that to tell you what kind of authentication schemes you can use.