Hi @susi_pogba
Welcome to the community.
Others can chime in but in general it's not a best practice to allow direct authentication from a client or mobile app directly to your data store / data API whether that data store is Elasticsearch or Oracle, mySQL or Mongodb etc .
Typically you would have an API gateway or a microservice layer that handles your end user's authentication and authorization and session management then that microservice or another service like a data access service would actually authenticate and make the calls to the data store so that data store is isolated from the end user / client app. This is how so how you isolate SQL /query injection and other security concerns.
Hope that helps s bit.