1 year ago · 6fec837e32
--- a/docs/reference/rest-api/security/invalidate-api-keys.asciidoc
+++ b/docs/reference/rest-api/security/invalidate-api-keys.asciidoc
@@ -27,8 +27,11 @@ in one of the three formats:
 
				 [[security-api-invalidate-api-key-desc]]
			
 
				 ==== {api-description-title}
			
 
				 
			
 
				-The API keys created by <<security-api-create-api-key,create API Key>> can be
			
 
				-invalidated using this API.
			
 
				+This API invalidates API keys created by the <<security-api-create-api-key,create API key>> or <<security-api-grant-api-key,grant API key>>
			
 
				+APIs.
			
 
				+Invalidated API keys fail authentication, but they can still be viewed using the
			
 
				+<<security-api-get-api-key,get API key information>> and <<security-api-query-api-key,query API key information>> APIs,
			
 
				+for at least the <<api-key-service-settings-delete-retention-period,configured retention period>>, until they are automatically deleted.
			
 
				 
			
 
				 
			
 
				 [[security-api-invalidate-api-key-request-body]]
			
--- a/docs/reference/settings/security-settings.asciidoc
+++ b/docs/reference/settings/security-settings.asciidoc
@@ -202,11 +202,6 @@ You can set the following API key service settings in
 
				 (<<static-cluster-setting,Static>>)
			
 
				 Set to `false` to disable the built-in API key service. Defaults to `true`.
			
 
				 
			
 
				-`xpack.security.authc.api_key.hashing.algorithm`::
			
 
				-(<<static-cluster-setting,Static>>)
			
 
				-Specifies the hashing algorithm that is used for securing API key credentials.
			
 
				-See <<password-hashing-algorithms>>. Defaults to `pbkdf2`.
			
 
				-
			
 
				 `xpack.security.authc.api_key.cache.ttl`::
			
 
				 (<<static-cluster-setting,Static>>)
			
 
				 The time-to-live for cached API key entries. A API key id and a hash of its
			
@@ -224,6 +219,39 @@ The hashing algorithm that is used for the
 
				 in-memory cached API key credentials. For possible values, see <<cache-hash-algo>>.
			
 
				 Defaults to `ssha256`.
			
 
				 
			
 
				+[[api-key-service-settings-delete-retention-period]]
			
 
				+`xpack.security.authc.api_key.delete.retention_period`::
			
 
				+(<<dynamic-cluster-setting,Dynamic>>)
			
 
				+Invalidated or expired API keys older than the retention period are eligible for deletion.
			
 
				+Defaults to `7d`.
			
 
				+
			
 
				+--
			
 
				+NOTE:  Large real-time clock inconsistency across cluster nodes can cause problems
			
 
				+with evaluating the API key retention period. That is, if the clock on the node 
			
 
				+invalidating the API key is significantly different than the one performing the deletion,
			
 
				+the key may be retained for longer or shorter than the configured retention period.
			
 
				+
			
 
				+--
			
 
				+
			
 
				+`xpack.security.authc.api_key.delete.interval`::
			
 
				+(<<dynamic-cluster-setting,Dynamic>>, Expert)
			
 
				+Cluster nodes schedule the automatic deletion of invalidated or expired API keys
			
 
				+that are older than the retention period.
			
 
				+This setting controls the minimum time interval between two such deletion jobs.
			
 
				+Defaults to `24h`.
			
 
				++
			
 
				+NOTE: This is a low-level setting that currently controls the interval between
			
 
				+deletion jobs triggered per-node, not across the cluster.
			
 
				+
			
 
				+`xpack.security.authc.api_key.delete.timeout`::
			
 
				+(<<static-cluster-setting,Static>>, Expert)
			
 
				+Sets the timeout of the internal search and delete call.
			
 
				+
			
 
				+`xpack.security.authc.api_key.hashing.algorithm`::
			
 
				+(<<static-cluster-setting,Static>>)
			
 
				+Specifies the hashing algorithm that is used for securing API key credentials.
			
 
				+See <<password-hashing-algorithms>>. Defaults to `pbkdf2`.
			
 
				+
			
 
				 [discrete]
			
 
				 [[security-domain-settings]]
			
 
				 ==== Security domain settings