elastic · ymao1 · Dec 2, 2025 · Dec 2, 2025 · Dec 2, 2025 · Dec 2, 2025
diff --git a/docs/extend/plugin-list.md b/docs/extend/plugin-list.md
@@ -240,7 +240,7 @@ mapped_pages:
 | [streamsApp](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/streams_app/README.md) | Home of the Streams app plugin, which allows users to manage Streams via the UI. |
 | [synthetics](https://github.com/elastic/kibana/blob/main/x-pack/solutions/observability/plugins/synthetics/README.md) | The purpose of this plugin is to provide users of Heartbeat more visibility of what's happening in their infrastructure. |
 | [taskManager](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/task_manager/README.md) | The task manager is a generic system for running background tasks. |
-| [taskManagerDependencies](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/private/task_manager_dependencies/README.md) | This plugin is used as a temporary sidecar plugin to enable the task manager plugin access to the encrypted saved objects client as there is a circular dependency if the task manager were to require the encrypted saved objects plugin directly. |
+| [taskManagerDependencies](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/private/task_manager_dependencies/README.md) | This plugin is used as a temporary sidecar plugin to enable the task manager plugin access to the encrypted saved objects client and the security plugin start contract as there is a circular dependency if the task manager were to require the encrypted saved objects plugin directly. |
 | [telemetryCollectionXpack](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/private/telemetry_collection_xpack/README.md) | Gathers all usage collection, retrieving them from both: OSS and X-Pack plugins. |
 | [timelines](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/timelines/README.md) | Timelines is a plugin that provides a grid component with accompanying server side apis to help users identify events of interest and perform root cause analysis within Kibana. |
 | [transform](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/private/transform/README.md) | This plugin provides access to the transforms features provided by Elasticsearch. It follows Kibana's standard plugin architecture, originally the plugin boilerplate code was taken from the snapshot/restore plugin. |

@@ -97,6 +97,10 @@
     "apiKeyId",
     "createdAt"
   ],
+  "api_key_to_invalidate": [
+    "apiKeyId",
+    "createdAt"
+  ],
   "apm-custom-dashboards": [
     "dashboardSavedObjectId",
     "kuery",

@@ -325,6 +325,17 @@
       }
     }
   },
+  "api_key_to_invalidate": {
+    "dynamic": false,
+    "properties": {
+      "apiKeyId": {
+        "type": "keyword"
+      },
+      "createdAt": {
+        "type": "date"
+      }
+    }
+  },
   "apm-custom-dashboards": {
     "properties": {
       "dashboardSavedObjectId": {

@@ -11,4 +11,4 @@ export { registerCoreObjectTypes } from './registration';
 
 // set minimum number of registered saved objects to ensure no object types are removed after 8.8
 // declared in internal implementation explicitly to prevent unintended changes.
-export const SAVED_OBJECT_TYPES_COUNT = 138 as const;
+export const SAVED_OBJECT_TYPES_COUNT = 139 as const;
@@ -67,6 +67,7 @@ describe('checking migration metadata changes on all registered SO types', () =>
         "alert": "25c6ceada17bfbe3027062c87e8eec6207d210f69638e53dd8110cba9735973b",
         "alerting_rule_template": "7c0ce40abc7416e49e3729b5189623be396c31b6c7ce2f915d9f4908405eca74",
         "api_key_pending_invalidation": "19ece0ac908352a86624e7c487f452077db878a9bf15286892c6da8e76bbb479",
+        "api_key_to_invalidate": "2e202e95f580920dd23c8e39659817f1d210f15d8a55af5b3ae9469a6e98a2d7",
         "apm-custom-dashboards": "30647691e2f67ccb9530d4c99d5723800872b4e5291a033de1116357603e4f27",
         "apm-indices": "9d3b6f5d29647738edb718b38e0eab712ec705f707b47572cf0bb37e011f3a8e",
         "apm-server-schema": "a58389bb3de41d987a2f0e53fd3360e90586656c981a9adaf862f4a06b7ab873",
@@ -300,6 +301,11 @@ describe('checking migration metadata changes on all registered SO types', () =>
         "api_key_pending_invalidation|schemas: da39a3ee5e6b4b0d3255bfef95601890afd80709",
         "api_key_pending_invalidation|10.1.0: 61265eecca1fe876ad48410cd295efdd61a593911dd6ab530b36bd8943c7c102",
         "=====================================================================================================",
+        "api_key_to_invalidate|global: 32dfc316c06e96b4edefee819aa3e0bf7365241d",
+        "api_key_to_invalidate|mappings: fa87c3b4528dcec61462709d2575ac13ba86397e",
+        "api_key_to_invalidate|schemas: da39a3ee5e6b4b0d3255bfef95601890afd80709",
+        "api_key_to_invalidate|10.1.0: 61265eecca1fe876ad48410cd295efdd61a593911dd6ab530b36bd8943c7c102",
+        "==============================================================================================",
         "apm-custom-dashboards|global: f72017061cda1a43792af034d019b3a766eacd7a",
         "apm-custom-dashboards|mappings: 72a467c41818fc3a8f88c40a885e835485752e73",
         "apm-custom-dashboards|schemas: da39a3ee5e6b4b0d3255bfef95601890afd80709",
@@ -1264,6 +1270,7 @@ describe('checking migration metadata changes on all registered SO types', () =>
         "alert": "10.7.0",
         "alerting_rule_template": "10.2.0",
         "api_key_pending_invalidation": "10.1.0",
+        "api_key_to_invalidate": "10.1.0",
         "apm-custom-dashboards": "10.1.0",
         "apm-indices": "10.1.0",
         "apm-server-schema": "10.1.0",
@@ -1412,6 +1419,7 @@ describe('checking migration metadata changes on all registered SO types', () =>
         "alert": "10.7.0",
         "alerting_rule_template": "10.2.0",
         "api_key_pending_invalidation": "10.1.0",
+        "api_key_to_invalidate": "10.1.0",
         "apm-custom-dashboards": "10.1.0",
         "apm-indices": "10.1.0",
         "apm-server-schema": "10.1.0",

@@ -18,6 +18,7 @@ const previouslyRegisteredTypes = [
   'alert',
   'alerting_rule_template',
   'api_key_pending_invalidation',
+  'api_key_to_invalidate',
   'apm-custom-dashboards',
   'apm-indices',
   'apm-server-schema',

@@ -435,6 +435,8 @@ kibana_vars=(
     xpack.task_manager.auto_calculate_default_ech_capacity
     xpack.task_manager.discovery.active_nodes_lookback
     xpack.task_manager.discovery.interval
+    xpack.task_manager.invalidate_api_key_task.interval
+    xpack.task_manager.invalidate_api_key_task.removalDelay
     xpack.task_manager.kibanas_per_partition
     xpack.task_manager.max_attempts
     xpack.task_manager.max_workers

@@ -1,7 +1,7 @@
 # Task Manager Dependencies
 
 This plugin is used as a temporary sidecar plugin to enable the task manager plugin access to 
-the encrypted saved objects client as there is a circular dependency if the task manager were to
+the encrypted saved objects client and the security plugin start contract as there is a circular dependency if the task manager were to
 require the encrypted saved objects plugin directly.
 
 This is because the encrypted saved objects plugin has a dependency on the security plugin, which

@@ -19,5 +19,8 @@
       "taskManager",
       "encryptedSavedObjects",
     ],
+    "optionalPlugins": [
+      "security",
+    ]
   },
 }
@@ -20,6 +20,7 @@ project:
 dependsOn:
   - '@kbn/core'
   - '@kbn/encrypted-saved-objects-plugin'
+  - '@kbn/security-plugin'
   - '@kbn/task-manager-plugin'
 tags:
   - plugin

@@ -6,6 +6,7 @@
  */
 
 import type { CoreSetup, CoreStart } from '@kbn/core/server';
+import type { SecurityPluginStart } from '@kbn/security-plugin/server';
 import type {
   EncryptedSavedObjectsPluginSetup,
   EncryptedSavedObjectsPluginStart,
@@ -22,11 +23,12 @@ export interface TaskManagerDependenciesPluginSetup {
 
 export interface TaskManagerDependenciesPluginStart {
   encryptedSavedObjects: EncryptedSavedObjectsPluginStart;
+  security?: SecurityPluginStart;
   taskManager: TaskManagerStartContract;
 }
 
 export class TaskManagerDependenciesPlugin {
-  public setup(core: CoreSetup, plugin: TaskManagerDependenciesPluginSetup) {
+  public setup(_: CoreSetup, plugin: TaskManagerDependenciesPluginSetup) {
     plugin.encryptedSavedObjects.registerType({
       type: 'task',
       attributesToEncrypt: new Set(['apiKey']),
@@ -37,11 +39,14 @@ export class TaskManagerDependenciesPlugin {
     plugin.taskManager.registerCanEncryptedSavedObjects(plugin.encryptedSavedObjects.canEncrypt);
   }
 
-  public start(core: CoreStart, plugin: TaskManagerDependenciesPluginStart) {
+  public start(_: CoreStart, plugin: TaskManagerDependenciesPluginStart) {
     plugin.taskManager.registerEncryptedSavedObjectsClient(
       plugin.encryptedSavedObjects.getClient({
         includedHiddenTypes: ['task'],
       })
     );
+    plugin.taskManager.registerApiKeyInvalidateFn(
+      plugin.security?.authc.apiKeys.invalidateAsInternalUser
+    );
   }
 }
@@ -9,6 +9,7 @@
   "kbn_references": [
     "@kbn/core",
     "@kbn/encrypted-saved-objects-plugin",
+    "@kbn/security-plugin",
     "@kbn/task-manager-plugin",
   ],
   "exclude": [