The Kibana REST API enables programmatic management of Kibana resources including spaces, saved objects, dashboards, data views, connectors, rules, and configuration. The API is stateless and uses standard HTTP verbs (GET, POST, PUT, DELETE) returning JSON responses, making it well suited for automation, CI/CD pipelines, and integrating Kibana with external systems.
openapi: 3.0.3
info:
contact:
name: Kibana Team
description: |
The Kibana REST APIs enable you to manage resources such as connectors, data views, and saved objects.
The API calls are stateless.
Each request that you make happens in isolation from other calls and must include all of the necessary information for Kibana to fulfill the
request.
API requests return JSON output, which is a format that is machine-readable and works well for automation.
To interact with Kibana APIs, use the following operations:
- GET: Fetches the information.
- PATCH: Applies partial modifications to the existing information.
- POST: Adds new information.
- PUT: Updates the existing information.
- DELETE: Removes the information.
You can prepend any Kibana API endpoint with `kbn:` and run the request in **Dev Tools → Console**.
For example:
```
GET kbn:/api/data_views
```
For more information about the console, refer to [Run API requests](https://www.elastic.co/docs/explore-analyze/query-filter/tools/console).
NOTE: Access to internal Kibana API endpoints will be restricted in Kibana version 9.0. Please move any integrations to publicly documented APIs.
## Documentation source and versions
This documentation is derived from the `main` branch of the [kibana](https://github.com/elastic/kibana) repository.
It is provided under license [Attribution-NonCommercial-NoDerivatives 4.0 International](https://creativecommons.org/licenses/by-nc-nd/4.0/).
This documentation contains work-in-progress information for future Elastic Stack releases.
title: Kibana APIs
version: ''
x-doc-license:
name: Attribution-NonCommercial-NoDerivatives 4.0 International
url: https://creativecommons.org/licenses/by-nc-nd/4.0/
x-feedbackLink:
label: Feedback
url: https://github.com/elastic/docs-content/issues/new?assignees=&labels=feedback%2Ccommunity&projects=&template=api-feedback.yaml&title=%5BFeedback%5D%3A+
servers:
- url: https://{kibana_url}
variables:
kibana_url:
default: localhost:5601
security:
- apiKeyAuth: []
- basicAuth: []
tags:
- name: agent builder
description: |
Agent Builder is a set of AI-powered capabilities for developing and interacting with agents that work with your Elasticsearch data.
Most users will probably want to integrate with Agent Builder using MCP or A2A, but you can also work programmatically with tools, agents, and conversations using these Kibana APIs.
**Elastic Agent Builder requires an Enterprise subscription.**
externalDocs:
description: Agent Builder docs
url: https://www.elastic.co/docs/solutions/search/agent-builder/programmatic-access
x-displayName: Agent Builder
- name: alerting
description: |
Alerting enables you to define rules, which detect complex conditions within your data. When a condition is met, the rule tracks it as an alert and runs the actions that are defined in the rule. Actions typically involve the use of connectors to interact with Kibana services or third party integrations.
externalDocs:
description: Alerting documentation
url: https://www.elastic.co/docs/explore-analyze/alerts-cases/alerts
x-displayName: Alerting
- description: |
Adjust APM agent configuration without need to redeploy your application.
name: APM agent configuration
- description: |
Configure APM agent keys to authorize requests from APM agents to the APM Server.
name: APM agent keys
- description: |
Annotate visualizations in the APM app with significant events. Annotations enable you to easily see how events are impacting the performance of your applications.
name: APM annotations
- description: Create APM fleet server schema.
name: APM server schema
- description: |
Configure APM source maps. A source map allows minified files to be mapped back to original source code--allowing you to maintain the speed advantage of minified code, without losing the ability to quickly and easily debug your application.
For best results, uploading source maps should become a part of your deployment procedure, and not something you only do when you see unhelpful errors. That's because uploading source maps after errors happen won't make old errors magically readable--errors must occur again for source mapping to occur.
name: APM sourcemaps
- description: |
Cases are used to open and track issues. You can add assignees and tags to your cases, set their severity and status, and add alerts, comments, and visualizations. You can also send cases to external incident management systems by configuring connectors.
name: cases
externalDocs:
description: Cases documentation
url: https://www.elastic.co/docs/explore-analyze/alerts-cases/cases
x-displayName: Cases
- name: connectors
description: |
Connectors provide a central place to store connection information for services and integrations with Elastic or third party systems. Alerting rules can use connectors to run actions when rule conditions are met.
externalDocs:
description: Connector documentation
url: https://www.elastic.co/docs/reference/kibana/connectors-kibana
x-displayName: Connectors
- name: Data streams
description: |
Data stream APIs enable you to manage data streams, which are collections of indices that share the same index template and are managed as a single unit for time-series data.
x-displayName: Data streams
- description: Data view APIs enable you to manage data views, formerly known as Kibana index patterns.
name: data views
x-displayName: Data views
- name: Elastic Agent actions
description: |
Elastic Agent actions APIs enable you to manage actions performed on Elastic Agents, including agent reassignment, diagnostics collection, enrollment management, upgrades, and bulk operations for agent lifecycle management.
x-displayName: Elastic Agent actions
- name: Elastic Agent binary download sources
description: |
Elastic Agent binary download sources APIs enable you to manage download sources for Elastic Agent binaries, including creating, updating, and deleting custom download sources for agent binaries.
x-displayName: Elastic Agent binary download sources
- name: Elastic Agent policies
description: |
Elastic Agent policies APIs enable you to manage agent policies, including creating, updating, and deleting policies, as well as to retrieve agent policy outputs, manifests, and auto-upgrade status information.
x-displayName: Elastic Agent policies
- name: Elastic Agent status
description: |
Enables you to retrieve status information about Elastic Agents, including health summaries and operational status.
x-displayName: Elastic Agent status
- name: Elastic Agents
description: |
Elastic Agents APIs enable you to manage Elastic Agents, including retrieving agent information, managing agent lifecycle, handling file uploads, and initiating agent setup.
x-displayName: Elastic Agents
- name: Elastic Package Manager (EPM)
description: |
Elastic Package Manager (EPM) APIs enable you to manage packages and integrations, including installing, updating, and uninstalling packages, managing custom integrations, and handling package assets.
x-displayName: Elastic Package Manager (EPM)
- name: Fleet agentless policies
- name: Fleet cloud connectors
description: |
Fleet cloud connectors APIs enable you to manage Fleet cloud connectors, including creating, updating, and deleting cloud connector configurations for Fleet integrations.
x-displayName: Fleet cloud connectors
- name: Fleet enrollment API keys
description: |
Fleet enrollment API keys APIs enable you to manage enrollment API keys for Fleet, including creating, retrieving, and revoking API keys used for agent enrollment.
x-displayName: Fleet enrollment API keys
- name: Fleet internals
description: |
Fleet internals APIs enable you to manage Fleet internal operations, including checking permissions, monitoring Fleet Server health, managing settings, and initiating Fleet setup.
x-displayName: Fleet internals
- name: Fleet outputs
description: |
Fleet outputs APIs enable you to manage Fleet outputs, including creating, updating, and deleting output configurations, generating Logstash API keys, and monitoring output health.
x-displayName: Fleet outputs
- name: Fleet package policies
description: |
Fleet package policies APIs enable you to manage Fleet package policies, including creating, updating, and deleting policies, performing bulk operations, and managing policy upgrades.
x-displayName: Fleet package policies
- name: Fleet proxies
description: |
Fleet proxies APIs enable you to manage Fleet proxies, including creating, updating, and deleting proxy configurations for Fleet agent communication.
x-displayName: Fleet proxies
- name: Fleet remote synced integrations
description: |
Use the Fleet remote synced integrations API to check the status of the automatic integrations synchronization on a remote cluster:
* Use the `/api/fleet/remote_synced_integrations/{outputId}/remote_status` endpoint on the management cluster to query the synchronization status of the integrations installed on the remote cluster by the ID of the configured remote Elasticsearch output.
* Use the `/api/fleet/remote_synced_integrations/status` endpoint on the remote cluster to query the synchronization status of the installed integrations.
externalDocs:
description: Automatic integrations synchronization documentation
url: https://www.elastic.co/docs/reference/fleet/automatic-integrations-synchronization
- name: Fleet Server hosts
description: |
Fleet Server hosts APIs enable you to manage Fleet Server hosts, including creating, updating, and deleting Fleet Server host configurations.
x-displayName: Fleet Server hosts
- name: Fleet service tokens
description: |
Enables you to create tokens for Fleet service authentication and authorization.
x-displayName: Fleet service tokens
- name: Fleet uninstall tokens
description: |
Fleet uninstall tokens APIs enable you to manage Fleet uninstall tokens, including retrieving metadata and decrypted tokens for agent uninstallation.
x-displayName: Fleet uninstall tokens
- description: |
Programmatically integrate with Logstash configuration management.
> warn
> Do not directly access the `.logstash` index. The structure of the `.logstash` index is subject to change, which could cause your integration to break. Instead, use the Logstash configuration management APIs.
externalDocs:
description: Centralized pipeline management
url: https://www.elastic.co/docs/reference/logstash/logstash-centralized-pipeline-management
name: logstash
x-displayName: Logstash configuration management
- name: maintenance-window
description: |
You can schedule single or recurring maintenance windows to temporarily reduce rule notifications. For example, a maintenance window prevents false alarms during planned outages.
externalDocs:
description: Maintenance window documentation
url: https://www.elastic.co/docs/explore-analyze/alerts-cases/alerts/maintenance-windows
x-displayName: Maintenance windows
- name: Message Signing Service
description: |
Enables you to rotate message signing key pairs for secure Fleet communication.
x-displayName: Fleet Message Signing Service
- description: |
Enables you to synchronize machine learning saved objects.
name: ml
x-displayName: Machine learning
- description: Interact with the Observability AI Assistant resources.
externalDocs:
description: Observability AI Assistant
url: https://www.elastic.co/docs/solutions/observability/observability-ai-assistant
name: observability_ai_assistant
x-displayName: Observability AI Assistant
- name: roles
x-displayName: Roles
description: Manage the roles that grant Elasticsearch and Kibana privileges.
externalDocs:
description: Kibana role management
url: https://www.elastic.co/docs/deploy-manage/users-roles/cluster-or-deployment-auth/defining-roles
- name: saved objects
x-displayName: Saved objects
description: |
Export sets of saved objects that you want to import into Kibana, resolve import errors, and rotate an encryption key for encrypted saved objects with the saved objects APIs.
To manage a specific type of saved object, use the corresponding APIs.
For example, use:
* [Data views](../group/endpoint-data-views)
* [Spaces](../group/endpoint-spaces)
* [Short URLs](../group/endpoint-short-url)
Warning: Do not write documents directly to the `.kibana` index. When you write directly to the `.kibana` index, the data becomes corrupted and permanently breaks future Kibana versions.
- description: Manage and interact with Security Assistant resources.
name: Security AI Assistant API
x-displayName: Security AI assistant
- description: Use the Attack discovery APIs to generate and manage Attack discoveries. Attack Discovery leverages large language models (LLMs) to analyze alerts in your environment and identify threats. Each "discovery" represents a potential attack and describes relationships among multiple alerts to tell you which users and hosts are involved, how alerts correspond to the MITRE ATT&CK matrix, and which threat actor might be responsible.
name: Security Attack discovery API
x-displayName: Security Attack discovery
- description: |
Use the detections APIs to create and manage detection rules. Detection rules search events and external alerts sent to Elastic Security and generate detection alerts from any hits. Alerts are displayed on the **Alerts** page and can be assigned and triaged, using the alert status to mark them as open, closed, or acknowledged.
This API supports both key-based authentication and basic authentication.
To use key-based authentication, create an API key, then specify the key in the header of your API calls.
To use basic authentication, provide a username and password; this automatically creates an API key that matches the current user’s privileges.
In both cases, the API key is subsequently used for authorization when the rule runs.
> warn
> If the API key used for authorization has different privileges than the key that created or most recently updated a rule, the rule behavior might change.
> If the API key that created a rule is deleted, or the user that created the rule becomes inactive, the rule will stop running.
To create and run rules, the user must meet specific requirements for the Kibana space. Refer to the [Detections requirements](https://www.elastic.co/guide/en/security/current/detections-permissions-section.html) for a complete list of requirements.
name: Security Detections API
x-displayName: Security detections
- description: Endpoint Exceptions API allows you to manage detection rule endpoint exceptions to prevent a rule from generating an alert from incoming events even when the rule's other criteria are met.
name: Security Endpoint Exceptions API
x-displayName: Security Elastic Endpoint exceptions
- description: Interact with and manage endpoints running the Elastic Defend integration.
name: Security Endpoint Management API
x-displayName: Security endpoint management
- description: |
Use the Security entity analytics APIs to manage entity analytics and risk scoring, including asset criticality, privileged user monitoring, and entity engines.
name: Security Entity Analytics API
x-displayName: Security entity analytics
- name: Security entity store
- description: |
Exceptions are associated with detection and endpoint rules, and are used to prevent a rule from generating an alert from incoming events, even when the rule's other criteria are met. They can help reduce the number of false positives and prevent trusted processes and network activity from generating unnecessary alerts.
Exceptions are made up of:
* **Exception containers**: A container for related exceptions. Generally, a single exception container contains all the exception items relevant for a subset of rules. For example, a container can be used to group together network-related exceptions that are relevant for a large number of network rules. The container can then be associated with all the relevant rules.
* **Exception items**: The query (fields, values, and logic) used to prevent rules from generating alerts. When an exception item's query evaluates to `true`, the rule does not generate an alert.
For detection rules, you can also use lists to define rule exceptions. A list holds multiple values of the same Elasticsearch data type, such as IP addresses. These values are used to determine when an exception prevents an alert from being generated.
> info
> You cannot use lists with endpoint rule exceptions.
> info
> Only exception containers can be associated with rules. You cannot directly associate an exception item or a list container with a rule. To use list exceptions, create an exception item that references the relevant list container.
## Exceptions requirements
Before you can start working with exceptions that use value lists, you must create the `.lists` and `.items` data streams for the relevant Kibana space. To do this, use the [Create list data streams](../operation/operation-createlistindex) endpoint. Once these data streams are created, your role needs privileges to manage rules. For a complete list of requirements, refer to [Enable and access detections](https://www.elastic.co/guide/en/security/current/detections-permissions-section.html#enable-detections-ui).
name: Security Exceptions API
x-displayName: Security exceptions
- description: |
Lists can be used with detection rule exceptions to define values that prevent a rule from generating alerts.
Lists are made up of:
* **List containers**: A container for values of the same Elasticsearch data type. The following data types can be used:
* `boolean`
* `byte`
* `date`
* `date_nanos`
* `date_range`
* `double`
* `double_range`
* `float`
* `float_range`
* `half_float`
* `integer`
* `integer_range`
* `ip`
* `ip_range`
* `keyword`
* `long`
* `long_range`
* `short`
* `text`
* **List items**: The values used to determine whether the exception prevents an alert from being generated.
All list items in the same list container must be of the same data type, and each item defines a single value. For example, an IP list container named `internal-ip-addresses-southport` contains five items, where each item defines one internal IP address:
1. `192.168.1.1`
2. `192.168.1.3`
3. `192.168.1.18`
4. `192.168.1.12`
5. `192.168.1.7`
To use these IP addresses as values for defining rule exceptions, use the Security exceptions API to [create an exception list item](../operation/operation-createexceptionlistitem) that references the `internal-ip-addresses-southport` list.
> info
> Lists cannot be added directly to rules, nor do they define the operators used to determine when exceptions are applied (`is in list`, `is not in list`). Use an exception item to define the operator and associate it with an [exception container](../operation/operation-createexceptionlist). You can then add the exception container to a rule's `exceptions_list` object.
## Lists requirements
Before you can start using lists, you must create the `.lists` and `.items` data streams for the relevant Kibana space. To do this, use the [Create list data streams](../operation/operation-createlistindex) endpoint. Once these data streams are created, your role needs privileges to manage rules. Refer to [Enable and access detections](https://www.elastic.co/guide/en/security/current/detections-permissions-section.html#enable-detections-ui) for a complete list of requirements.
name: Security Lists API
x-displayName: Security lists
- description: Run live queries, manage packs and saved queries.
name: Security Osquery API
x-displayName: Security Osquery
- description: You can create Timelines and Timeline templates via the API, as well as import new Timelines from an ndjson file.
name: Security Timeline API
x-displayName: Security timeline
- description: Manage Kibana short URLs.
name: short url
x-displayName: Short URLs
- description: SLO APIs enable you to define, manage and track service-level objectives
name: slo
x-displayName: Service level objectives
- name: spaces
x-displayName: Spaces
description: Manage your Kibana spaces.
externalDocs:
url: https://www.elastic.co/docs/deploy-manage/manage-spaces
description: Space overview
- name: streams
description: |
Streams provide a unified data management layer for ingestion, routing, and processing. There are three stream types:
* **Wired** streams are managed by Kibana. They route documents to child streams based on
field conditions and support custom field mappings and processing steps.
* **Classic** streams map to existing Elasticsearch data streams. You can add processing
steps to classic streams without changing their underlying index template.
* **Query** streams are virtual aggregations backed by an ES|QL expression. They aggregate
data from multiple streams into a single logical view without duplicating documents.
x-displayName: Streams
externalDocs:
description: Streams documentation
url: https://www.elastic.co/docs/solutions/observability/streams
- name: synthetics
x-displayName: Synthetics
description: Synthetics APIs enable you to check the status of your services and applications.
externalDocs:
description: Synthetic monitoring
url: https://www.elastic.co/docs/solutions/observability/synthetics
- name: system
x-displayName: System
description: |
Get information about the system status, resource usage, features, and installed plugins.
- description: Task manager APIs enable you to check the health of the Kibana task manager, which is used by features such as alerting, actions, and reporting to run mission critical work as persistent background tasks.
externalDocs:
description: Task manager
url: https://www.elastic.co/docs/deploy-manage/distributed-architecture/kibana-tasks-management
name: task manager
x-displayName: Task manager
- description: |
The Kibana Upgrade Assistant API helps you prepare for the next major Elasticsearch release.
> warn
> This is a Kibana REST API (not an Elasticsearch API) and requests must target your Kibana URL:
> * Self-managed URL pattern: `https://localhost:5601`
> * Elastic Cloud URL pattern: `https://your-deployment.kb.us-east-1.aws.elastic.cloud:9243`
name: upgrade
x-displayName: Upgrade assistant
- description: Uptime APIs enable you to view and update uptime monitoring settings.
externalDocs:
description: Uptime monitoring
url: https://www.elastic.co/docs/solutions/observability/uptime
name: uptime
x-displayName: Uptime
- name: user session
x-displayName: User session management
description: |
Enables you to invalidate user sessions for security and session management purposes.
- name: workflows
description: |
Workflows enable you to automate multi-step processes directly in Kibana. Define sequences of steps in YAML to transform data insights into automated actions and outcomes, without needing external automation tools.
Use the workflows APIs to create, manage, and run workflows programmatically. You can also search, export, import, and monitor workflow executions.
externalDocs:
description: Workflows documentation
url: https://www.elastic.co/docs/explore-analyze/workflows
x-displayName: Workflows
paths:
/api/actions/connector_types:
get:
description: |-
**Spaces method and path for this operation:**
<div><span class="operation-verb get">get</span> <span class="operation-path">/s/{space_id}/api/actions/connector_types</span></div>
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
You do not need any Kibana feature privileges to run this API.
operationId: get-actions-connector-types
parameters:
- description: A filter to limit the retrieved connector types to those that support a specific feature (such as alerting or cases).
in: query
name: feature_id
required: false
schema:
type: string
responses:
'200':
content:
application/json:
schema:
items:
additionalProperties: false
type: object
properties:
allow_multiple_system_actions:
description: Indicates whether multiple instances of the same system action connector can be used in a single rule.
type: boolean
enabled:
description: Indicates whether the connector is enabled.
type: boolean
enabled_in_config:
description: Indicates whether the connector is enabled in the Kibana configuration.
type: boolean
enabled_in_license:
description: Indicates whether the connector is enabled through the license.
type: boolean
id:
description: The identifier for the connector.
type: string
is_deprecated:
description: Indicates whether the connector type is deprecated.
type: boolean
is_system_action_type:
description: Indicates whether the action is a system action.
type: boolean
minimum_license_required:
description: The minimum license required to enable the connector.
enum:
- basic
- standard
- gold
- platinum
- enterprise
- trial
type: string
name:
description: The name of the connector type.
type: string
source:
description: The source of the connector type definition.
enum:
- yml
- spec
- stack
type: string
sub_feature:
description: Indicates the sub-feature type the connector is grouped under.
enum:
- endpointSecurity
type: string
supported_feature_ids:
description: The list of supported features
items:
type: string
type: array
required:
- id
- name
- enabled
- enabled_in_config
- enabled_in_license
- minimum_license_required
- supported_feature_ids
- is_system_action_type
- is_deprecated
- source
type: array
examples:
getConnectorTypesServerlessResponse:
$ref: '#/components/examples/get_connector_types_generativeai_response'
description: Indicates a successful call.
'403':
description: Indicates that this call is forbidden.
summary: Get connector types
tags:
- connectors
x-metaTags:
- content: Kibana
name: product_name
/api/actions/connector/_oauth_callback:
get:
description: |-
**Spaces method and path for this operation:**
<div><span class="operation-verb get">get</span> <span class="operation-path">/s/{space_id}/api/actions/connector/_oauth_callback</span></div>
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Handles the OAuth 2.0 authorization code callback from external providers. Exchanges the authorization code for access and refresh tokens.<br/><br/>[Required authorization] Route required privileges: actions:oauth.
operationId: get-actions-connector-oauth-callback
parameters:
- description: The authorization code returned by the OAuth provider.
in: query
name: code
required: false
schema:
type: string
- description: The state parameter for CSRF protection.
in: query
name: state
required: false
schema:
type: string
- description: Error code if the authorization failed.
in: query
name: error
required: false
schema:
type: string
- description: Human-readable error description.
in: query
name: error_description
required: false
schema:
type: string
- description: Session state from the OAuth provider (e.g., Microsoft).
in: query
name: session_state
required: false
schema:
type: string
responses:
'200':
description: Returns an HTML callback page.
'302':
description: Redirects to the return URL with authorization result query parameters.
'401':
description: User is not authenticated.
summary: Handle OAuth callback
tags:
- connectors
x-state: Added in 9.4.0
x-metaTags:
- content: Kibana
name: product_name
/api/actions/connector/_oauth_callback_script:
get:
description: |-
**Spaces method and path for this operation:**
<div><span class="operation-verb get">get</span> <span class="operation-path">/s/{space_id}/api/actions/connector/_oauth_callback_script</span></div>
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Returns the OAuth callback script
operationId: get-actions-connector-oauth-callback-script
parameters: []
responses:
'200':
description: Returns the OAuth callback script
summary: ''
tags: []
x-state: Added in 9.4.0
x-metaTags:
- content: Kibana
name: product_name
/api/actions/connector/{id}:
delete:
description: |-
**Spaces method and path for this operation:**
<div><span class="operation-verb delete">delete</span> <span class="operation-path">/s/{space_id}/api/actions/connector/{id}</span></div>
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
WARNING: When you delete a connector, it cannot be recovered.
operationId: delete-actions-connector-id
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: An identifier for the connector.
in: path
name: id
required: true
schema:
type: string
responses:
'204':
description: Indicates a successful call.
'403':
description:
# --- truncated at 32 KB (5482 KB total) ---
# Full source: https://raw.githubusercontent.com/api-evangelist/kibana/refs/heads/main/openapi/kibana-openapi-original.yml