Enrollment Token deletion

im struggle to delete old enrollment tokens under: Kibana -> Fleet -> Enrollment Tokens

Neither in the ui nor via the api i'm able to delete them.
In the ui they just are flagged as inactive and via the api "api/v1/platform/configuration/security/enrollment-tokens/" i always receive a 404.

Does anybody know how i can delete the old tokens to that they are no longer visible in the ui?

Best regards


Hi @FabianEidner Welcome to the Community.

As far as I can see there is no API to delete revoked enrollment tokens the Fleet API is fairly new, but it may be for a design reason that I am unaware of...

This should work.. it does for me BUT It is a Kibana API so if you want to run it from the Kibana -> Dev Tools

GET kbn:api/fleet/enrollment_api_keys

That kbn says run the Kibana API not the default Elasticsearch Endpoint


  "list": [
      "id": "d6f28b60-af85-467c-95ae-8c80004be22f",
      "active": false,
      "api_key_id": "JdcYB4UBeQ07SZYpp2KR",
      "api_key": "SmRjWUI0VUJlUTA3U1pZcHAyS1I6aFVPQWJUR25TaVdET2l2R2NhcnhJdw==",
      "name": "test-policy-to-delete (d6f28b60-af85-467c-95ae-8c80004be22f)",
      "policy_id": "26ee3b10-f3e5-11ec-9d53-bf3420b4ec75",
      "created_at": "2022-12-12T16:08:55.233Z"
      "id": "b6784aa6-853a-4e72-9853-5e8a0b6328c2",
      "active": true,
      "api_key_id": "_Nz0coQBq24Jqo2-zNbX",
      "api_key": "X056MGNvUUJxMjRKcW8yLXpOYlg6N0dna2VPY2JReWUzUU1kaEpHYVZHUQ==",
      "name": "Default (b6784aa6-853a-4e72-9853-5e8a0b6328c2)",
      "policy_id": "8d6a37f0-639c-11ed-a8ff-cbf0d36ff2a1",
      "created_at": "2022-11-13T21:45:57.693Z"

If you run from curl / command line then you need to run the Kibana API per the docs to the Kibana Endpoint (not Elasticsearch Endpoint) see here you can use basic auth too.

curl --request GET \
  --url 'https://my-kibana-host:9243/api/fleet/enrollment_api_keys' \
  --header 'Authorization: ApiKey N2VLRDA0TUJIQ05MaGYydUZrN1Y6d2diMUdwSkRTWGFlSm1rSVZlc2JGQQ==' \
  --header 'Content-Type: application/json' \
  --header 'kbn-xsrf: true'
1 Like

Hi @stephenb ,
thank you for the reply. Yes the GET is working, i did try a DELETE because i would like to delete the old tokens which are not longer usable.

Regarding the documentation: Delete enrollment token | Elastic Cloud Enterprise Reference [2.3] | Elastic

A DELETE should be possible as well, sadly i always get 404 :frowning:

Best regards

That is not the correct API ...

That is a completely separate API / Capability about adding / enrolling new Servers into Elastic Cloud Enterprise environment ... are you running Elastic Cloud Enterprise? I suspect Not, you would know if you were.

What are you running Self Managed or Elastic Cloud?

That API has nothing to do with Fleet / Agent Enrollment Tokens, similar names etc but not Fleet / Agent.

The only Fleet APIs are here:

1 Like

Hi @stephenb,
ah okay maybe i did read the wrong docs. But in the docs provided by you there is a swagger documentation linked which do show a get and a delete for the enrollment api keys.
When i try to use the path provided by swagger i receive a:

    "error": "no handler found for uri [/api/fleet/enrollment-api-keys] and method [GET]"


Is there a way in the ui to check which API url to use? Maybe the API url i use is wrong.

1 Like

Awesome!! I did not see that so I just ran this

From Kibana - Dev Tools I just ran

DELETE kbn:api/fleet/enrollment_api_keys/d6f28b60-af85-467c-95ae-8c80004be22f

And it Worked,

  "action": "deleted"

So Today I Learned from You!

So that API IS Valid and does work...

So the DELETE Curl would be something like

curl --request DELETE \
  --url 'https://my-kibana-host:9243/api/fleet/enrollment_api_keys/d6f28b60-af85-467c-95ae-8c80004be22f' \
  --header 'Authorization: ApiKey N2VLRDA0TUJIQ05MaGYydUZrN1Y6d2diMUdwSkRTWGFlSm1rSVZlc2JGQQ==' \
  --header 'Content-Type: application/json' \
  --header 'kbn-xsrf: true'

Show me EXACTLY how you are running the command... from what tool? from Kibana? From Curl, From some other tool ... the APIs work ... you just showed me :slight_smile:

I tested Postman it worked too!

1 Like

Hi @stephenb,
yes this is working for me as well in the Dev Tools, thank you very much.
I only need to figure out why it won't work via postman :slight_smile:

I bet i have the wrong url but i will figure it out!

Thank you very much!

Make sure you set those AND you are pointing to Kibana not Elasticsearch

Kibana APIs must point to Kibana : The Kibana endpoint is whatever you have our Browser pointed to for Kibana.
All the Elasticsearch APIs point to Elasticsearch... that is a common problem.

1 Like

Hi @stephenb ,
i did tried it now multiple times, the response says "deleted" but is it still visible in the ui :frowning:

It is also strange that when i execute the query multiple times for the same keyid it always returns with "deleted" 200 :frowning:

Looks broken to me :frowning:

So the call can be executed in the DEV Tools but it does not do anything sadly.
But still thanks a lot for the help.
I think i will open a bug ticket. :slight_smile:

Yup I see the same thing... I learned more :slight_smile:

Yes Open a ticket BUT... I suspect support is going to tell you this about the API

Kibana Fleet APIs

This functionality is in technical preview and may be changed or removed in a future release. Elastic will apply best effort to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

But I would submit it anyways so it shows up as a Bug.

And only Revoke is supported in the UI today not delete so that is supported, I suspect the Delete will come in the future...

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.