elastic · colleenmcginnis · Apr 9, 2025 · Apr 4, 2025 · Apr 4, 2025 · Apr 4, 2025
@@ -1,4 +1,4 @@
 project: 'Elastic documentation'
 max_toc_depth: 2

 features:
@@ -277,3 +277,4 @@
   release-date: "2-April-2025"
   heroku: "Elasticsearch Add-on for Heroku"
   obs-ai-assistant: "Elastic AI Assistant for Observability and Search"
+  apm-server-or-mis: "APM Server or the managed intake service"
@@ -1,9 +1,11 @@
 ---
+navigation_title: "Applications and services"
 mapped_pages:
   - https://www.elastic.co/guide/en/serverless/current/application-and-service-monitoring.html
   - https://www.elastic.co/guide/en/observability/current/application-and-service-monitoring.html
-
-navigation_title: "Applications and services"
+applies_to:
+  stack:
+  serverless:
 ---
 
 # Application and service monitoring [application-and-service-monitoring]
@@ -15,9 +17,9 @@ Explore the topics in this section to learn how to observe and monitor software
 
 |     |     |
 | --- | --- |
-| [LLM Observability](../../solutions/observability/apps/llm-observability.md) | Monitor LLM-powered applications to keep them reliable, efficient, cost-effective, and easy to troubleshoot.|
-| [Application performance monitoring (APM)](../../solutions/observability/apps/application-performance-monitoring-apm.md) | Monitor software services and applications in real time, by collecting detailed performance information on response time for incoming requests, database queries, calls to caches, external HTTP requests, and more. |
-| [Synthetic monitoring](../../solutions/observability/apps/synthetic-monitoring.md) | Monitor the availability of network endpoints and services. |
-| [Real user monitoring](../../solutions/observability/apps/real-user-monitoring-user-experience.md) | Quantify and analyze the perceived performance of your web application using real-world user experiences. |
-| [Uptime monitoring (deprecated)](../../solutions/observability/apps/uptime-monitoring-deprecated.md) | Periodically check the status of your services and applications. |
-| [Tutorial: Monitor a Java application](../../solutions/observability/apps/tutorial-monitor-java-application.md) | Monitor a Java application using Elastic Observability: Logs, Infrastructure metrics, APM, and Uptime. |
+| [LLM Observability](/solutions/observability/apps/llm-observability.md) | Monitor LLM-powered applications to keep them reliable, efficient, cost-effective, and easy to troubleshoot.|
+| [Application performance monitoring (APM)](/solutions/observability/apps/application-performance-monitoring-apm.md) | Monitor software services and applications in real time, by collecting detailed performance information on response time for incoming requests, database queries, calls to caches, external HTTP requests, and more. |
+| [Synthetic monitoring](/solutions/observability/apps/synthetic-monitoring.md) | Monitor the availability of network endpoints and services. |
+| [Real user monitoring](/solutions/observability/apps/real-user-monitoring-user-experience.md) | Quantify and analyze the perceived performance of your web application using real-world user experiences. |
+| [Uptime monitoring (deprecated)](/solutions/observability/apps/uptime-monitoring-deprecated.md) | Periodically check the status of your services and applications. |
+| [Tutorial: Monitor a Java application](/solutions/observability/apps/tutorial-monitor-java-application.md) | Monitor a Java application using Elastic Observability: Logs, Infrastructure metrics, APM, and Uptime. |
@@ -0,0 +1,3 @@
+:::{admonition} APM Server vs managed intake service
+In {{ech}}, the _APM Server_ receives data from Elastic APM agents and transforms it into Elasticsearch documents. In {{serverless-full}} there is in fact no APM Server running, instead the _managed intake service_ receives and transforms data.
+:::
@@ -10,7 +10,6 @@ applies_to:
 
 # Act on application data
 
-
 In addition to exploring visualizations in the Applications UI in {{kib}}, you can make your application data more actionable with:
 
 |     |     |

@@ -18,7 +18,6 @@ To access this page, go to **{{observability}} > Uptime > Monitors**. Click on a
 
 The monitor detail screen displays several panels of information.
 
-
 ## Status panel [uptime-status-panel]
 
 The **Status** panel displays a summary of the latest information regarding your monitor. You can view its availability, monitor ID, type, and any assigned tags. You can click a link to visit the targeted URL, view when the TLS certificate expires, and determine the amount of time elapsed since the last check.
@@ -32,7 +31,6 @@ The **Monitoring from** list displays service availability per monitoring locati
 
 To display a map with each location as a pinpoint, you can toggle the availability view from list view to map view.
 
-
 ## Monitor duration [uptime-monitor-duration]
 
 The **Monitor duration** chart displays the timing for each check that was performed. The visualization helps you to gain insights into how quickly requests resolve by the targeted endpoint and give you a sense of how frequently a host or endpoint was down in your selected time span.
@@ -44,7 +42,6 @@ Included on this chart is the {{anomaly-detect}} ({{ml}}) integration. For more
 :screenshot:
 :::
 
-
 ## Pings over time [uptime-pings-chart]
 
 The **Pings over time** chart is a graphical representation of the check statuses over time. Hover over the charts to display crosshairs with specific numeric data.
@@ -54,7 +51,6 @@ The **Pings over time** chart is a graphical representation of the check statuse
 :screenshot:
 :::
 
-
 ## Check history [uptime-history-panel]
 
 The **History** table lists the total count of this monitor’s checks for the selected date range. To help find recent problems on a per-check basis, you can filter by `status` and `location`.

@@ -23,6 +23,3 @@ Learn how to view and interpret data in the {{uptime-app}}:
 * [Analyze monitors](analyze-monitors.md)
 * [Inspect uptime duration anomalies](inspect-uptime-duration-anomalies.md)
 
-
-
-
@@ -16,15 +16,13 @@ Elastic APM agents can send unauthenticated (anonymous) events to the APM Server
 
 In some cases, however, it makes sense to allow both authenticated and anonymous requests. For example, it isn’t possible to authenticate requests from front-end services as the secret token or API key can’t be protected. This is the case with the Real User Monitoring (RUM) agent running in a browser, or the Android or iOS/Swift agent running in a user application. However, you still likely want to authenticate requests from back-end services. To solve this problem, you can enable anonymous authentication in the APM Server to allow the ingestion of unauthenticated client-side APM data while still requiring authentication for server-side services.
 
-
 ## Configuring anonymous auth for client-side services [apm-anonymous-auth-config]
 
 ::::{note}
 You can only enable and configure anonymous authentication if an [API key](api-keys.md) or [secret token](secret-token.md) is configured. If neither are configured, these settings will be ignored.
 
 ::::
 
-
 :::::::{tab-set}
 
 ::::::{tab-item} Fleet-managed
@@ -57,7 +55,6 @@ The remote IP address of an incoming request might be different from the end-use
 
 If none of these headers are present, the remote address for the incoming request is used.
 
-
 ### Using a reverse proxy or load balancer [apm-derive-client-ip-concerns]
 
 HTTP headers are easily modified; it’s possible for anyone to spoof the derived `client.ip` value by changing or setting, for example, the value of the `X-Forwarded-For` header. For this reason, if any of your clients are not trusted, we recommend setting up a reverse proxy or load balancer in front of the APM Server.

@@ -7,26 +7,27 @@ applies_to:
 
 # API keys [apm-api-key]
 
+:::{include} _snippets/apm-server-vs-mis.md
+:::
+
 ::::{important}
 API keys are sent as plain-text, so they only provide security when used in combination with [TLS](apm-agent-tls-communication.md).
 ::::
 
-
-When enabled, API keys are used to authorize requests to the APM Server. API keys are not applicable for APM agents running on clients, like the RUM agent, as there is no way to prevent them from being publicly exposed.
+When enabled, API keys are used to authorize requests to {{apm-server-or-mis}}. API keys are not applicable for APM agents running on clients, like the RUM agent, as there is no way to prevent them from being publicly exposed.
 
 You can assign one or more unique privileges to each API key:
 
 * **Agent configuration** (`config_agent:read`): Required for agents to read [Agent configuration remotely](apm-agent-central-configuration.md).
 * **Ingest** (`event:write`): Required for ingesting agent events.
 
-To secure the communication between APM Agents and the APM Server with API keys, make sure [TLS](apm-agent-tls-communication.md) is enabled, then complete these steps:
+To secure the communication between APM Agents and either {{apm-server-or-mis}} with API keys, make sure [TLS](apm-agent-tls-communication.md) is enabled, then complete these steps:
 
 1. [Enable API keys](#apm-enable-api-key)
 2. [Create an API key user](#apm-create-api-key-user)
 3. [Create an API key in {{kib}}](#apm-create-an-api-key)
 4. [Set the API key in your APM agents](#apm-agent-api-key)
 
-
 ## Enable API keys [apm-enable-api-key]
 
 :::::::{tab-set}
@@ -50,11 +51,20 @@ apm-server.auth.api_key.limit: 50 <2>
 
 ::::::
 
+::::::{tab-item} {{serverless-full}}
+API keys are enabled by default.
+::::::
+
 :::::::
 
 ## Create an API key user in {{kib}} [apm-create-api-key-user]
 
-API keys can only have the same or lower access rights than the user that creates them. Instead of using a superuser account to create API keys, you can create a role with the minimum required privileges.
+API keys can only have the same or lower access rights than the user that creates them.
+
+:::::::{tab-set}
+
+::::::{tab-item} Fleet-managed or APM Server binary
+Instead of using a superuser account to create API keys, you can create a role with the minimum required privileges.
 
 The user creating an {{apm-agent}} API key must have at least the `manage_own_api_key` cluster privilege and the APM application-level privileges that it wishes to grant. In addition, when creating an API key from the Applications UI, you’ll need the appropriate {{kib}} Space and Feature privileges.
 
@@ -84,14 +94,23 @@ POST /_security/role/apm_agent_key_role
 
 1. This example assigns privileges for the default space.
 
-
 Assign the newly created `apm_agent_key_role` role to any user that wishes to create {{apm-agent}} API keys.
+::::::
 
+::::::{tab-item} {{serverless-full}}
+**For Observability Serverless projects**, the Editor role or higher is required to create and manage API keys. To learn more, refer to [Assign user roles and privileges](/deploy-manage/users-roles/cloud-organization/user-roles.md#general-assign-user-roles).
+::::::
+
+:::::::
 
 ## Create an API key in the Applications UI [apm-create-an-api-key]
 
 The Applications UI has a built-in workflow that you can use to easily create and view {{apm-agent}} API keys. Only API keys created in the Applications UI will show up here.
 
+:::::::{tab-set}
+
+::::::{tab-item} Fleet-managed or APM Server binary
+
 Using a superuser account, or a user with the role created in the previous step, In {{kib}}, find **Applications** in the main menu or use the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). Go to **Settings** → **Agent keys**. Enter a name for your API key and select at least one privilege.
 
 For example, to create an API key that can be used to ingest APM events and read agent central configuration, select `config_agent:read` and `event:write`.
@@ -103,6 +122,27 @@ Click **Create APM Agent key** and copy the Base64 encoded API key. You will nee
 :screenshot:
 :::
 
+::::::
+
+::::::{tab-item} {{serverless-full}}
+To create a new API key:
+
+1. In your Elastic Observability Serverless project, go to any Applications page.
+1. Click **Settings**.
+1. Select the **Agent keys** tab.
+1. Click **Create APM agent key**.
+1. Name the key and assign privileges to it.
+1. Click **Create APM agent key**.
+1. Copy the key now. You will not be able to see it again. API keys do not expire.
+
+To view all API keys for your project:
+
+1. Expand **Project settings**.
+1. Select **Management**.
+1. Select **API keys**.
+::::::
+
+:::::::
 
 ## Set the API key in your APM agents [apm-agent-api-key]
 
@@ -118,15 +158,18 @@ You can now apply your newly created API keys in the configuration of each of yo
 * **Python agent**: [`api_key`](apm-agent-python://reference/configuration.md#config-api-key)
 * **Ruby agent**: [`api_key`](apm-agent-ruby://reference/configuration.md#config-api-key)
 
-
 ## Alternate API key creation methods [apm-configure-api-key-alternative]
 
+```{applies_to}
+stack:
+serverless: unavailable
+```
+
 API keys can also be created and validated outside of {{kib}}:
 
 * [APM Server API key workflow](#apm-create-api-key-workflow-apm-server)
 * [{{es}} API key workflow](#apm-create-api-key-workflow-es)
 
-
 ### APM Server API key workflow [apm-create-api-key-workflow-apm-server]
 
 This API creation method only works with the APM Server binary.
@@ -137,10 +180,8 @@ This API creation method only works with the APM Server binary.
 Users should create API Keys through {{kib}} or the {{es}} REST API
 ::::
 
-
 APM Server provides a command line interface for creating, retrieving, invalidating, and verifying API keys. Keys created using this method can only be used for communication with APM Server.
 
-
 #### `apikey` subcommands [apm-create-api-key-subcommands]
 
 **`create`**
@@ -163,10 +204,8 @@ APM Server provides a command line interface for creating, retrieving, invalidat
         * To **ingest agent data**, assign `event:write`.
         * To **upload source maps**, assign `sourcemap:write`.
 
-
     ::::
 
-
 **`info`**
 :   Query API Key(s). `--id` or `--name` required.
 
@@ -176,7 +215,6 @@ APM Server provides a command line interface for creating, retrieving, invalidat
 **`verify`**
 :   Check if a credentials string has the given privilege(s). `--credentials` required.
 
-
 #### Privileges [apm-create-api-key-privileges]
 
 If privileges are not specified at creation time, the created key will have all privileges.
@@ -185,7 +223,6 @@ If privileges are not specified at creation time, the created key will have all
 * `--ingest` grants the `event:write` privilege
 * `--sourcemap` grants the `sourcemap:write` privilege
 
-
 #### Create an API key [apm-create-api-key-workflow]
 
 Create an API key with the `create` subcommand.
@@ -238,7 +275,6 @@ Error count ........ 0
 
 A full list of `apikey` subcommands and flags is available in the [API key command reference](apm-server-command-reference.md#apm-apikey-command).
 
-
 ### {{es}} API key workflow [apm-create-api-key-workflow-es]
 
 It is also possible to create API keys using the {{es}} [create API key API](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-api-key).
@@ -268,7 +304,6 @@ POST /_security/api_key
 2. The expiration time of the API key
 3. Any assigned privileges
 
-
 The response will look similar to this:
 
 ```console-result
Original file line number	Diff line number	Diff line change
Expand Up		@@ -10,7 +10,6 @@ applies_to:

		# Act on application data


		In addition to exploring visualizations in the Applications UI in {{kib}}, you can make your application data more actionable with:

		\| \| \|
Expand Down
Original file line number	Diff line number	Diff line change
Expand Up		@@ -23,6 +23,3 @@ Learn how to view and interpret data in the {{uptime-app}}:
		* [Analyze monitors](analyze-monitors.md)
		* [Inspect uptime duration anomalies](inspect-uptime-duration-anomalies.md)