[[security-api-kibana-enrollment]]
=== Enroll {kib} API
++++
<titleabbrev>Enroll {kib}</titleabbrev>
++++

.New API reference
[sidebar]
--
For the most up-to-date API details, refer to {api-es}/group/endpoint-security[Security APIs].
--

Enables a {kib} instance to configure itself for communication with a secured {es} cluster.

NOTE: This API is currently intended for internal use only by {kib}.

[[security-api-kibana-enrollment-request]]
==== {api-request-title}

`GET /_security/enroll/kibana`

[[security-api-kibana-enrollment-desc]]
==== {api-description-title}

{kib} uses this API internally to configure itself for communications with an
{es} cluster that already has security features enabled.

[[security-api-client-enrollment-examples]]
==== {api-examples-title}

The following example shows how to enroll a {kib} instance.

[source,console]
----
GET /_security/enroll/kibana
----
// TEST[skip:we need to enable HTTP TLS for the docs cluster]

The API returns the following response:

[source,console_result]
----
{
  "token" : {
    "name" : "enroll-process-token-1629123923000", <1>
    "value": "AAEAAWVsYXN0aWM...vZmxlZXQtc2VydmVyL3Rva2VuMTo3TFdaSDZ" <2>
  },
  "http_ca" : "MIIJlAIBAzVoGCSqGSIb3...vsDfsA3UZBAjEPfhubpQysAICAA=", <3>
}
----
<1> The name of the bearer token for the `elastic/kibana` service account.
<2> The value of the bearer token for the `elastic/kibana` service account.
Use this value to {ref}/service-accounts.html#authenticate-with-service-account-token[authenticate the service account] with {es}.
<3> The CA certificate used to sign the node certificates that {es} uses for TLS
on the HTTP layer. The certificate is returned as a Base64 encoded string of the
ASN.1 DER encoding of the certificate.