diff --git a/src/CodeGeneration/ApiGenerator/ApiGenerator.cs b/src/CodeGeneration/ApiGenerator/ApiGenerator.cs
index 52abfbc19ef..e52b4c975b0 100644
--- a/src/CodeGeneration/ApiGenerator/ApiGenerator.cs
+++ b/src/CodeGeneration/ApiGenerator/ApiGenerator.cs
@@ -35,9 +35,6 @@ public class ApiGenerator
 			"indices.freeze.json",
 			"indices.unfreeze.json",
 			"xpack.ml.set_upgrade_mode.json",
-			"security.create_api_key.json",
-			"security.get_api_key.json",
-			"security.invalidate_api_key.json",
 			"xpack.monitoring.bulk.json",
 
 			// these API's are not ready for primetime yet
@@ -179,7 +176,15 @@ private static Dictionary<string, ApiQueryParameters> CreateCommonApiQueryParame
 			return ApiQueryParametersPatcher.Patch(null, commonParameters, null, false);
 		}
 
-		private static string CreateMethodName(string apiEndpointKey) => PascalCase(apiEndpointKey);
+		private static string CreateMethodName(string apiEndpointKey)
+		{
+			var pascalCased = PascalCase(apiEndpointKey);
+			if (pascalCased.StartsWith("Security"))
+			{
+				pascalCased = "Xpack" + pascalCased;
+			}
+			return pascalCased;
+		}
 
 		private static string DoRazor(string name, string template, RestApiSpec model) =>
 			Razor.CompileRenderAsync(name, template, model).GetAwaiter().GetResult();
diff --git a/src/Elasticsearch.Net/Domain/RequestParameters/RequestParameters.Generated.cs b/src/Elasticsearch.Net/Domain/RequestParameters/RequestParameters.Generated.cs
index e642a18c064..ef9b8204091 100644
--- a/src/Elasticsearch.Net/Domain/RequestParameters/RequestParameters.Generated.cs
+++ b/src/Elasticsearch.Net/Domain/RequestParameters/RequestParameters.Generated.cs
@@ -2718,6 +2718,34 @@ public partial class StopRollupJobRequestParameters : RequestParameters<StopRoll
 		///<summary>Block for (at maximum) the specified duration while waiting for the job to stop. Defaults to 30s.</summary>
 		public TimeSpan Timeout { get => Q<TimeSpan>("timeout"); set => Q("timeout", value); }
 	}
+	///<summary>Request options for XpackSecurityCreateApiKey<pre>https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-create-api-key.html</pre></summary>
+	public partial class CreateApiKeyRequestParameters : RequestParameters<CreateApiKeyRequestParameters> 
+	{
+		public override HttpMethod DefaultHttpMethod => HttpMethod.PUT;
+		///<summary>
+		/// If `true` (the default) then refresh the affected shards to make this operation visible to search, if `wait_for` then wait for a refresh
+		/// to make this operation visible to search, if `false` then do nothing with refreshes.
+		///</summary>
+		public Refresh? Refresh { get => Q<Refresh?>("refresh"); set => Q("refresh", value); }
+	}
+	///<summary>Request options for XpackSecurityGetApiKey<pre>https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-get-api-key.html</pre></summary>
+	public partial class GetApiKeyRequestParameters : RequestParameters<GetApiKeyRequestParameters> 
+	{
+		public override HttpMethod DefaultHttpMethod => HttpMethod.GET;
+		///<summary>API key id of the API key to be retrieved</summary>
+		public string Id { get => Q<string>("id"); set => Q("id", value); }
+		///<summary>API key name of the API key to be retrieved</summary>
+		public string Name { get => Q<string>("name"); set => Q("name", value); }
+		///<summary>user name of the user who created this API key to be retrieved</summary>
+		public string Username { get => Q<string>("username"); set => Q("username", value); }
+		///<summary>realm name of the user who created this API key to be retrieved</summary>
+		public string RealmName { get => Q<string>("realm_name"); set => Q("realm_name", value); }
+	}
+	///<summary>Request options for XpackSecurityInvalidateApiKey<pre>https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-invalidate-api-key.html</pre></summary>
+	public partial class InvalidateApiKeyRequestParameters : RequestParameters<InvalidateApiKeyRequestParameters> 
+	{
+		public override HttpMethod DefaultHttpMethod => HttpMethod.DELETE;
+	}
 	///<summary>Request options for XpackSecurityAuthenticate<pre>https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-authenticate.html</pre></summary>
 	public partial class AuthenticateRequestParameters : RequestParameters<AuthenticateRequestParameters> 
 	{
diff --git a/src/Elasticsearch.Net/ElasticLowLevelClient.Generated.cs b/src/Elasticsearch.Net/ElasticLowLevelClient.Generated.cs
index a83cddfc1c1..9d5e2723991 100644
--- a/src/Elasticsearch.Net/ElasticLowLevelClient.Generated.cs
+++ b/src/Elasticsearch.Net/ElasticLowLevelClient.Generated.cs
@@ -4052,6 +4052,44 @@ public TResponse XpackRollupStopJob<TResponse>(string id, StopRollupJobRequestPa
 		///<param name="requestParameters">A func that allows you to describe the querystring parameters &amp; request specific connection settings.</param>
 		public Task<TResponse> XpackRollupStopJobAsync<TResponse>(string id, StopRollupJobRequestParameters requestParameters = null, CancellationToken ctx = default(CancellationToken))
 			where TResponse : class, IElasticsearchResponse, new() => this.DoRequestAsync<TResponse>(POST, Url($"_xpack/rollup/job/{id.NotNull("id")}/_stop"), ctx, null, _params(requestParameters));
+		///<summary>PUT on /_security/api_key <para>https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-create-api-key.html</para></summary>
+		///<param name="body">The api key request to create an API key</param>
+		///<param name="requestParameters">A func that allows you to describe the querystring parameters &amp; request specific connection settings.</param>
+		public TResponse XpackSecurityCreateApiKey<TResponse>(PostData body, CreateApiKeyRequestParameters requestParameters = null)
+			where TResponse : class, IElasticsearchResponse, new() => this.DoRequest<TResponse>(PUT, Url($"_security/api_key"), body, _params(requestParameters));
+		///<summary>PUT on /_security/api_key <para>https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-create-api-key.html</para></summary>
+		///<param name="body">The api key request to create an API key</param>
+		///<param name="requestParameters">A func that allows you to describe the querystring parameters &amp; request specific connection settings.</param>
+		public Task<TResponse> XpackSecurityCreateApiKeyAsync<TResponse>(PostData body, CreateApiKeyRequestParameters requestParameters = null, CancellationToken ctx = default(CancellationToken))
+			where TResponse : class, IElasticsearchResponse, new() => this.DoRequestAsync<TResponse>(PUT, Url($"_security/api_key"), ctx, body, _params(requestParameters));
+		///<summary>POST on /_security/api_key <para>https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-create-api-key.html</para></summary>
+		///<param name="body">The api key request to create an API key</param>
+		///<param name="requestParameters">A func that allows you to describe the querystring parameters &amp; request specific connection settings.</param>
+		public TResponse XpackSecurityCreateApiKeyPost<TResponse>(PostData body, CreateApiKeyRequestParameters requestParameters = null)
+			where TResponse : class, IElasticsearchResponse, new() => this.DoRequest<TResponse>(POST, Url($"_security/api_key"), body, _params(requestParameters));
+		///<summary>POST on /_security/api_key <para>https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-create-api-key.html</para></summary>
+		///<param name="body">The api key request to create an API key</param>
+		///<param name="requestParameters">A func that allows you to describe the querystring parameters &amp; request specific connection settings.</param>
+		public Task<TResponse> XpackSecurityCreateApiKeyPostAsync<TResponse>(PostData body, CreateApiKeyRequestParameters requestParameters = null, CancellationToken ctx = default(CancellationToken))
+			where TResponse : class, IElasticsearchResponse, new() => this.DoRequestAsync<TResponse>(POST, Url($"_security/api_key"), ctx, body, _params(requestParameters));
+		///<summary>GET on /_security/api_key <para>https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-get-api-key.html</para></summary>
+		///<param name="requestParameters">A func that allows you to describe the querystring parameters &amp; request specific connection settings.</param>
+		public TResponse XpackSecurityGetApiKey<TResponse>(GetApiKeyRequestParameters requestParameters = null)
+			where TResponse : class, IElasticsearchResponse, new() => this.DoRequest<TResponse>(GET, Url($"_security/api_key"), null, _params(requestParameters));
+		///<summary>GET on /_security/api_key <para>https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-get-api-key.html</para></summary>
+		///<param name="requestParameters">A func that allows you to describe the querystring parameters &amp; request specific connection settings.</param>
+		public Task<TResponse> XpackSecurityGetApiKeyAsync<TResponse>(GetApiKeyRequestParameters requestParameters = null, CancellationToken ctx = default(CancellationToken))
+			where TResponse : class, IElasticsearchResponse, new() => this.DoRequestAsync<TResponse>(GET, Url($"_security/api_key"), ctx, null, _params(requestParameters));
+		///<summary>DELETE on /_security/api_key <para>https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-invalidate-api-key.html</para></summary>
+		///<param name="body">The api key request to invalidate API key(s)</param>
+		///<param name="requestParameters">A func that allows you to describe the querystring parameters &amp; request specific connection settings.</param>
+		public TResponse XpackSecurityInvalidateApiKey<TResponse>(PostData body, InvalidateApiKeyRequestParameters requestParameters = null)
+			where TResponse : class, IElasticsearchResponse, new() => this.DoRequest<TResponse>(DELETE, Url($"_security/api_key"), body, _params(requestParameters));
+		///<summary>DELETE on /_security/api_key <para>https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-invalidate-api-key.html</para></summary>
+		///<param name="body">The api key request to invalidate API key(s)</param>
+		///<param name="requestParameters">A func that allows you to describe the querystring parameters &amp; request specific connection settings.</param>
+		public Task<TResponse> XpackSecurityInvalidateApiKeyAsync<TResponse>(PostData body, InvalidateApiKeyRequestParameters requestParameters = null, CancellationToken ctx = default(CancellationToken))
+			where TResponse : class, IElasticsearchResponse, new() => this.DoRequestAsync<TResponse>(DELETE, Url($"_security/api_key"), ctx, body, _params(requestParameters));
 		///<summary>GET on /_xpack/security/_authenticate <para>https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-authenticate.html</para></summary>
 		///<param name="requestParameters">A func that allows you to describe the querystring parameters &amp; request specific connection settings.</param>
 		public TResponse XpackSecurityAuthenticate<TResponse>(AuthenticateRequestParameters requestParameters = null)
diff --git a/src/Elasticsearch.Net/IElasticLowLevelClient.Generated.cs b/src/Elasticsearch.Net/IElasticLowLevelClient.Generated.cs
index bb6e6d7b943..6652d72c20d 100644
--- a/src/Elasticsearch.Net/IElasticLowLevelClient.Generated.cs
+++ b/src/Elasticsearch.Net/IElasticLowLevelClient.Generated.cs
@@ -3284,6 +3284,36 @@ public partial interface IElasticLowLevelClient
 		///<param name="id">The ID of the job to stop</param>
 		///<param name="requestParameters">A func that allows you to describe the querystring parameters &amp; request specific connection settings.</param>
 		Task<TResponse> XpackRollupStopJobAsync<TResponse>(string id, StopRollupJobRequestParameters requestParameters = null, CancellationToken ctx = default(CancellationToken)) where TResponse : class, IElasticsearchResponse, new();
+		///<summary>PUT on /_security/api_key <para>https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-create-api-key.html</para></summary>
+		///<param name="body">The api key request to create an API key</param>
+		///<param name="requestParameters">A func that allows you to describe the querystring parameters &amp; request specific connection settings.</param>
+		TResponse XpackSecurityCreateApiKey<TResponse>(PostData body, CreateApiKeyRequestParameters requestParameters = null) where TResponse : class, IElasticsearchResponse, new();
+		///<summary>PUT on /_security/api_key <para>https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-create-api-key.html</para></summary>
+		///<param name="body">The api key request to create an API key</param>
+		///<param name="requestParameters">A func that allows you to describe the querystring parameters &amp; request specific connection settings.</param>
+		Task<TResponse> XpackSecurityCreateApiKeyAsync<TResponse>(PostData body, CreateApiKeyRequestParameters requestParameters = null, CancellationToken ctx = default(CancellationToken)) where TResponse : class, IElasticsearchResponse, new();
+		///<summary>POST on /_security/api_key <para>https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-create-api-key.html</para></summary>
+		///<param name="body">The api key request to create an API key</param>
+		///<param name="requestParameters">A func that allows you to describe the querystring parameters &amp; request specific connection settings.</param>
+		TResponse XpackSecurityCreateApiKeyPost<TResponse>(PostData body, CreateApiKeyRequestParameters requestParameters = null) where TResponse : class, IElasticsearchResponse, new();
+		///<summary>POST on /_security/api_key <para>https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-create-api-key.html</para></summary>
+		///<param name="body">The api key request to create an API key</param>
+		///<param name="requestParameters">A func that allows you to describe the querystring parameters &amp; request specific connection settings.</param>
+		Task<TResponse> XpackSecurityCreateApiKeyPostAsync<TResponse>(PostData body, CreateApiKeyRequestParameters requestParameters = null, CancellationToken ctx = default(CancellationToken)) where TResponse : class, IElasticsearchResponse, new();
+		///<summary>GET on /_security/api_key <para>https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-get-api-key.html</para></summary>
+		///<param name="requestParameters">A func that allows you to describe the querystring parameters &amp; request specific connection settings.</param>
+		TResponse XpackSecurityGetApiKey<TResponse>(GetApiKeyRequestParameters requestParameters = null) where TResponse : class, IElasticsearchResponse, new();
+		///<summary>GET on /_security/api_key <para>https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-get-api-key.html</para></summary>
+		///<param name="requestParameters">A func that allows you to describe the querystring parameters &amp; request specific connection settings.</param>
+		Task<TResponse> XpackSecurityGetApiKeyAsync<TResponse>(GetApiKeyRequestParameters requestParameters = null, CancellationToken ctx = default(CancellationToken)) where TResponse : class, IElasticsearchResponse, new();
+		///<summary>DELETE on /_security/api_key <para>https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-invalidate-api-key.html</para></summary>
+		///<param name="body">The api key request to invalidate API key(s)</param>
+		///<param name="requestParameters">A func that allows you to describe the querystring parameters &amp; request specific connection settings.</param>
+		TResponse XpackSecurityInvalidateApiKey<TResponse>(PostData body, InvalidateApiKeyRequestParameters requestParameters = null) where TResponse : class, IElasticsearchResponse, new();
+		///<summary>DELETE on /_security/api_key <para>https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-invalidate-api-key.html</para></summary>
+		///<param name="body">The api key request to invalidate API key(s)</param>
+		///<param name="requestParameters">A func that allows you to describe the querystring parameters &amp; request specific connection settings.</param>
+		Task<TResponse> XpackSecurityInvalidateApiKeyAsync<TResponse>(PostData body, InvalidateApiKeyRequestParameters requestParameters = null, CancellationToken ctx = default(CancellationToken)) where TResponse : class, IElasticsearchResponse, new();
 		///<summary>GET on /_xpack/security/_authenticate <para>https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-authenticate.html</para></summary>
 		///<param name="requestParameters">A func that allows you to describe the querystring parameters &amp; request specific connection settings.</param>
 		TResponse XpackSecurityAuthenticate<TResponse>(AuthenticateRequestParameters requestParameters = null) where TResponse : class, IElasticsearchResponse, new();
diff --git a/src/Nest/XPack/Security/ApiKey/CreateApiKey/ApiKeyPrivileges.cs b/src/Nest/XPack/Security/ApiKey/CreateApiKey/ApiKeyPrivileges.cs
new file mode 100644
index 00000000000..1b86ee74b09
--- /dev/null
+++ b/src/Nest/XPack/Security/ApiKey/CreateApiKey/ApiKeyPrivileges.cs
@@ -0,0 +1,58 @@
+using System;
+using System.Collections.Generic;
+
+namespace Nest
+{
+	public interface IApiKeyPrivileges
+	{
+		/// <summary>
+		/// A list of names.
+		/// </summary>
+		IEnumerable<string> Names { get; set; }
+
+		/// <summary>
+		/// A list of privileges.
+		/// </summary>
+		IEnumerable<string> Privileges { get; set; }
+	}
+
+	public class ApiKeyPrivileges : IApiKeyPrivileges
+	{
+		/// <inheritdoc cref="IApiKeyPrivileges.Names" />
+		public IEnumerable<string> Names { get; set; }
+
+		/// <inheritdoc cref="IApiKeyPrivileges.Privileges" />
+		public IEnumerable<string> Privileges { get; set; }
+	}
+
+	public class ApiKeyPrivilegesDescriptor
+		: DescriptorPromiseBase<ApiKeyPrivilegesDescriptor, List<IApiKeyPrivileges>>
+	{
+		public ApiKeyPrivilegesDescriptor() : base(new List<IApiKeyPrivileges>()) { }
+
+		public ApiKeyPrivilegesDescriptor Index(Func<ApiKeyPrivilegeDescriptor, IApiKeyPrivileges> selector) =>
+			Assign(selector, (a, v) => a.Add(v.InvokeOrDefault(new ApiKeyPrivilegeDescriptor())));
+
+		public class ApiKeyPrivilegeDescriptor
+			: DescriptorBase<ApiKeyPrivilegeDescriptor, IApiKeyPrivileges>, IApiKeyPrivileges
+		{
+			/// <inheritdoc cref="IApiKeyPrivileges.Names" />
+			IEnumerable<string> IApiKeyPrivileges.Names { get; set; }
+
+			/// <inheritdoc cref="IApiKeyPrivileges.Privileges" />
+			IEnumerable<string> IApiKeyPrivileges.Privileges { get; set; }
+
+			/// <inheritdoc cref="IApiKeyPrivileges.Privileges" />
+			public ApiKeyPrivilegeDescriptor Privileges(params string[] privileges) => Assign(privileges, (a, v) => a.Privileges = v);
+
+			/// <inheritdoc cref="IApiKeyPrivileges.Privileges" />
+			public ApiKeyPrivilegeDescriptor Privileges(IEnumerable<string> privileges) => Assign(privileges, (a, v) => a.Privileges = v);
+
+			/// <inheritdoc cref="IApiKeyPrivileges.Names" />
+			public ApiKeyPrivilegeDescriptor Names(params string[] resources) => Assign(resources, (a, v) => a.Names = v);
+
+			/// <inheritdoc cref="IApiKeyPrivileges.Names" />
+			public ApiKeyPrivilegeDescriptor Names(IEnumerable<string> resources) => Assign(resources, (a, v) => a.Names = v);
+		}
+	}
+}
diff --git a/src/Nest/XPack/Security/ApiKey/CreateApiKey/ApiKeyRole.cs b/src/Nest/XPack/Security/ApiKey/CreateApiKey/ApiKeyRole.cs
new file mode 100644
index 00000000000..c9abd4ebbf1
--- /dev/null
+++ b/src/Nest/XPack/Security/ApiKey/CreateApiKey/ApiKeyRole.cs
@@ -0,0 +1,52 @@
+using System;
+using System.Collections.Generic;
+using Newtonsoft.Json;
+
+namespace Nest
+{
+	public interface IApiKeyRole
+	{
+		/// <summary>
+		/// A list of clusters
+		/// </summary>
+		[JsonProperty("cluster")]
+		IEnumerable<string> Cluster { get; set; }
+
+		/// <summary>
+		/// A list of API key privileges for indices.
+		/// </summary>
+		[JsonProperty("index")]
+		IEnumerable<IApiKeyPrivileges> Index { get; set; }
+	}
+
+	public class ApiKeyRole : IApiKeyRole
+	{
+		/// <inheritdoc />
+		[JsonProperty("cluster")]
+		public IEnumerable<string> Cluster { get; set; }
+
+		/// <inheritdoc />
+		[JsonProperty("index")]
+		public IEnumerable<IApiKeyPrivileges> Index { get; set; }
+	}
+
+	public class ApiKeyRoleDescriptor
+		: DescriptorBase<ApiKeyRoleDescriptor, IApiKeyRole>, IApiKeyRole
+	{
+		/// <inheritdoc cref="IApiKeyRole.Cluster" />
+		IEnumerable<string> IApiKeyRole.Cluster { get; set; }
+
+		/// <inheritdoc cref="IApiKeyRole.Index" />
+		IEnumerable<IApiKeyPrivileges> IApiKeyRole.Index { get; set; }
+
+		/// <inheritdoc cref="IApiKeyRole.Cluster" />
+		public ApiKeyRoleDescriptor Cluster(params string[] cluster) => Assign(cluster, (a, v) => a.Cluster = v);
+
+		/// <inheritdoc cref="IApiKeyRole.Cluster" />
+		public ApiKeyRoleDescriptor Cluster(IEnumerable<string> cluster) => Assign(cluster, (a, v) => a.Cluster = v);
+
+		/// <inheritdoc cref="IApiKeyRole.Index" />
+		public ApiKeyRoleDescriptor Indices(Func<ApiKeyPrivilegesDescriptor, IPromise<List<IApiKeyPrivileges>>> selector
+		) => Assign(selector, (a, v) => a.Index = v?.Invoke(new ApiKeyPrivilegesDescriptor())?.Value);
+	}
+}
diff --git a/src/Nest/XPack/Security/ApiKey/CreateApiKey/ApiKeyRoles.cs b/src/Nest/XPack/Security/ApiKey/CreateApiKey/ApiKeyRoles.cs
new file mode 100644
index 00000000000..71caad7c7e0
--- /dev/null
+++ b/src/Nest/XPack/Security/ApiKey/CreateApiKey/ApiKeyRoles.cs
@@ -0,0 +1,26 @@
+using System;
+using System.Collections.Generic;
+using Newtonsoft.Json;
+
+namespace Nest
+{
+	[JsonConverter(typeof(VerbatimDictionaryKeysJsonConverter<string, IApiKeyRole>))]
+	public interface IApiKeyRoles : IIsADictionary<string, IApiKeyRole> { }
+
+	public class ApiKeyRoles : IsADictionaryBase<string, IApiKeyRole>, IApiKeyRoles
+	{
+		public ApiKeyRoles() { }
+
+		internal ApiKeyRoles(IDictionary<string, IApiKeyRole> backingDictionary) : base(backingDictionary) { }
+
+		public void Add(string role, IApiKeyRole apiKeyRole) => BackingDictionary.Add(role, apiKeyRole);
+	}
+
+	public class ApiKeyRolesDescriptor : IsADictionaryDescriptorBase<ApiKeyRolesDescriptor, ApiKeyRoles, string, IApiKeyRole>
+	{
+		public ApiKeyRolesDescriptor() : base(new ApiKeyRoles()) { }
+
+		public ApiKeyRolesDescriptor Role(string name, Func<ApiKeyRoleDescriptor, IApiKeyRole> selector) =>
+			Assign(selector, (a, v) => a.Add(name, v.InvokeOrDefault(new ApiKeyRoleDescriptor())));
+	}
+}
diff --git a/src/Nest/XPack/Security/ApiKey/CreateApiKey/CreateApiKeyRequest.cs b/src/Nest/XPack/Security/ApiKey/CreateApiKey/CreateApiKeyRequest.cs
new file mode 100644
index 00000000000..34812d5aac4
--- /dev/null
+++ b/src/Nest/XPack/Security/ApiKey/CreateApiKey/CreateApiKeyRequest.cs
@@ -0,0 +1,63 @@
+using System;
+using Newtonsoft.Json;
+
+namespace Nest
+{
+	public partial interface ICreateApiKeyRequest
+	{
+		/// <summary>
+		/// Optional expiration for the API key being generated.
+		/// If expiration is not provided then the API keys do not expire.
+		/// </summary>
+		[JsonProperty("expiration")]
+		Time Expiration { get; set; }
+
+		/// <summary>
+		/// Name for this API key
+		/// </summary>
+		[JsonProperty("name")]
+		string Name { get; set; }
+
+		/// <summary>
+		/// Optional role descriptors for this API key, if not provided then permissions of authenticated user are applied.
+		/// </summary>
+		[JsonProperty("role_descriptors")]
+		IApiKeyRoles Roles { get; set; }
+	}
+
+	public partial class CreateApiKeyRequest
+	{
+		/// <inheritdoc cref="ICreateApiKeyRequest.Expiration" />
+		public Time Expiration { get; set; }
+
+		/// <inheritdoc cref="ICreateApiKeyRequest.Name" />
+		public string Name { get; set; }
+
+		/// <inheritdoc cref="ICreateApiKeyRequest.Roles" />
+		public IApiKeyRoles Roles { get; set; } = new ApiKeyRoles(); // Ensure not null, as server expects {}
+	}
+
+	[DescriptorFor("XpackSecurityCreateApiKey")]
+	public partial class CreateApiKeyDescriptor
+	{
+		/// <inheritdoc cref="ICreateApiKeyRequest.Expiration" />
+		Time ICreateApiKeyRequest.Expiration { get; set; }
+
+		/// <inheritdoc cref="ICreateApiKeyRequest.Name" />
+		string ICreateApiKeyRequest.Name { get; set; }
+
+		/// <inheritdoc cref="ICreateApiKeyRequest.Roles" />
+		IApiKeyRoles ICreateApiKeyRequest.Roles { get; set; } = new ApiKeyRoles(); // Ensure not null, as server expects {}
+
+		/// <inheritdoc cref="ICreateApiKeyRequest.Expiration" />
+		public CreateApiKeyDescriptor Expiration(Time expiration) => Assign(expiration, (a, v) => a.Expiration = v);
+
+		/// <inheritdoc cref="ICreateApiKeyRequest.Name" />
+		public CreateApiKeyDescriptor Name(string name) => Assign(name, (a, v) => a.Name = v);
+
+		/// <inheritdoc cref="ICreateApiKeyRequest.Roles" />
+		public CreateApiKeyDescriptor Roles(Func<ApiKeyRolesDescriptor, IPromise<IApiKeyRoles>> selector) =>
+			Assign(selector,
+				(a, v) => a.Roles = v?.Invoke(new ApiKeyRolesDescriptor())?.Value ?? new ApiKeyRoles()); // Ensure not null, as server expects {}
+	}
+}
diff --git a/src/Nest/XPack/Security/ApiKey/CreateApiKey/CreateApiKeyResponse.cs b/src/Nest/XPack/Security/ApiKey/CreateApiKey/CreateApiKeyResponse.cs
new file mode 100644
index 00000000000..ec5b9e11738
--- /dev/null
+++ b/src/Nest/XPack/Security/ApiKey/CreateApiKey/CreateApiKeyResponse.cs
@@ -0,0 +1,49 @@
+using System;
+using System.Collections.Generic;
+using Newtonsoft.Json;
+
+namespace Nest
+{
+	public interface ICreateApiKeyResponse : IResponse
+	{
+		/// <summary>
+		/// Id for the API key
+		/// </summary>
+		[JsonProperty("id")]
+		string Id { get; }
+
+		/// <summary>
+		/// Name of the API key
+		/// </summary>
+		[JsonProperty("name")]
+		string Name { get; }
+
+		/// <summary>
+		/// Optional expiration time for the API key in milliseconds
+		/// </summary>
+		[JsonProperty("expiration")]
+		[JsonConverter(typeof(EpochMillisecondsDateTimeJsonConverter))]
+		DateTimeOffset? Expiration { get; }
+
+		/// <summary>
+		/// Generated API key
+		/// </summary>
+		[JsonProperty("api_key")]
+		string ApiKey { get; }
+	}
+
+	public class CreateApiKeyResponse : ResponseBase, ICreateApiKeyResponse
+	{
+		/// <inheritdoc />
+		public string Id { get; internal set; }
+
+		/// <inheritdoc />
+		public string Name { get; internal set; }
+
+		/// <inheritdoc />
+		public DateTimeOffset? Expiration { get; internal set; }
+
+		/// <inheritdoc />
+		public string ApiKey { get; internal set; }
+	}
+}
diff --git a/src/Nest/XPack/Security/ApiKey/CreateApiKey/ElasticClient-CreateApiKey.cs b/src/Nest/XPack/Security/ApiKey/CreateApiKey/ElasticClient-CreateApiKey.cs
new file mode 100644
index 00000000000..ef30796ed3c
--- /dev/null
+++ b/src/Nest/XPack/Security/ApiKey/CreateApiKey/ElasticClient-CreateApiKey.cs
@@ -0,0 +1,59 @@
+using System;
+using System.Threading;
+using System.Threading.Tasks;
+using Elasticsearch.Net;
+
+namespace Nest
+{
+	public partial interface IElasticClient
+	{
+		/// <summary>
+		/// Creates an API key for access without requiring basic authentication.
+		/// </summary>
+		ICreateApiKeyResponse CreateApiKey(Func<CreateApiKeyDescriptor, ICreateApiKeyRequest> selector = null);
+
+		/// <inheritdoc cref="CreateApiKey(System.Func{Nest.CreateApiKeyDescriptor,Nest.ICreateApiKeyRequest})" />
+		ICreateApiKeyResponse CreateApiKey(ICreateApiKeyRequest request);
+
+		/// <inheritdoc cref="CreateApiKey(System.Func{Nest.CreateApiKeyDescriptor,Nest.ICreateApiKeyRequest})" />
+		Task<ICreateApiKeyResponse> CreateApiKeyAsync(
+			Func<CreateApiKeyDescriptor, ICreateApiKeyRequest> selector = null,
+			CancellationToken cancellationToken = default(CancellationToken)
+		);
+
+		/// <inheritdoc cref="CreateApiKey(System.Func{Nest.CreateApiKeyDescriptor,Nest.ICreateApiKeyRequest})" />
+		Task<ICreateApiKeyResponse> CreateApiKeyAsync(ICreateApiKeyRequest request,
+			CancellationToken cancellationToken = default(CancellationToken)
+		);
+	}
+
+	public partial class ElasticClient
+	{
+		/// <inheritdoc cref="CreateApiKey(System.Func{Nest.CreateApiKeyDescriptor,Nest.ICreateApiKeyRequest})" />
+		public ICreateApiKeyResponse CreateApiKey(Func<CreateApiKeyDescriptor, ICreateApiKeyRequest> selector = null
+		) => CreateApiKey(selector.InvokeOrDefault(new CreateApiKeyDescriptor()));
+
+		/// <inheritdoc cref="CreateApiKey(System.Func{Nest.CreateApiKeyDescriptor,Nest.ICreateApiKeyRequest})" />
+		public ICreateApiKeyResponse CreateApiKey(ICreateApiKeyRequest request) =>
+			Dispatcher.Dispatch<ICreateApiKeyRequest, CreateApiKeyRequestParameters, CreateApiKeyResponse>(
+				request,
+				LowLevelDispatch.XpackSecurityCreateApiKeyDispatch<CreateApiKeyResponse>
+			);
+
+		/// <inheritdoc cref="CreateApiKey(System.Func{Nest.CreateApiKeyDescriptor,Nest.ICreateApiKeyRequest})" />
+		public Task<ICreateApiKeyResponse> CreateApiKeyAsync(
+			Func<CreateApiKeyDescriptor, ICreateApiKeyRequest> selector = null,
+			CancellationToken cancellationToken = default(CancellationToken)
+		) => CreateApiKeyAsync(selector.InvokeOrDefault(new CreateApiKeyDescriptor()), cancellationToken);
+
+		/// <inheritdoc cref="CreateApiKey(System.Func{Nest.CreateApiKeyDescriptor,Nest.ICreateApiKeyRequest})" />
+		public Task<ICreateApiKeyResponse> CreateApiKeyAsync(ICreateApiKeyRequest request,
+			CancellationToken cancellationToken = default(CancellationToken)
+		) => Dispatcher
+				.DispatchAsync<ICreateApiKeyRequest, CreateApiKeyRequestParameters, CreateApiKeyResponse, ICreateApiKeyResponse>(
+					request,
+					cancellationToken,
+					LowLevelDispatch.XpackSecurityCreateApiKeyDispatchAsync<CreateApiKeyResponse>
+				);
+	}
+}
diff --git a/src/Nest/XPack/Security/ApiKey/GetApiKey/ElasticClient-GetApiKey.cs b/src/Nest/XPack/Security/ApiKey/GetApiKey/ElasticClient-GetApiKey.cs
new file mode 100644
index 00000000000..6e9357a51d1
--- /dev/null
+++ b/src/Nest/XPack/Security/ApiKey/GetApiKey/ElasticClient-GetApiKey.cs
@@ -0,0 +1,62 @@
+using System;
+using System.Threading;
+using System.Threading.Tasks;
+using Elasticsearch.Net;
+
+namespace Nest
+{
+	public partial interface IElasticClient
+	{
+		/// <summary>
+		/// Retrieves information for one or more API keys.
+		/// </summary>
+		IGetApiKeyResponse GetApiKey(Func<GetApiKeyDescriptor, IGetApiKeyRequest> selector = null);
+
+		/// <inheritdoc cref="GetApiKey(System.Func{Nest.GetApiKeyDescriptor,Nest.IGetApiKeyRequest})" />
+		IGetApiKeyResponse GetApiKey(IGetApiKeyRequest request);
+
+		/// <inheritdoc cref="GetApiKey(System.Func{Nest.GetApiKeyDescriptor,Nest.IGetApiKeyRequest})" />
+		Task<IGetApiKeyResponse> GetApiKeyAsync(
+			Func<GetApiKeyDescriptor, IGetApiKeyRequest> selector = null,
+			CancellationToken cancellationToken = default(CancellationToken)
+		);
+
+		/// <inheritdoc cref="GetApiKey(System.Func{Nest.GetApiKeyDescriptor,Nest.IGetApiKeyRequest})" />
+		Task<IGetApiKeyResponse> GetApiKeyAsync(IGetApiKeyRequest request,
+			CancellationToken cancellationToken = default(CancellationToken)
+		);
+	}
+
+	public partial class ElasticClient
+	{
+		/// <inheritdoc cref="GetApiKey(System.Func{Nest.GetApiKeyDescriptor,Nest.IGetApiKeyRequest})" />
+		public IGetApiKeyResponse GetApiKey(Func<GetApiKeyDescriptor, IGetApiKeyRequest> selector = null
+		) =>
+			GetApiKey(selector.InvokeOrDefault(new GetApiKeyDescriptor()));
+
+		/// <inheritdoc cref="GetApiKey(System.Func{Nest.GetApiKeyDescriptor,Nest.IGetApiKeyRequest})" />
+		public IGetApiKeyResponse GetApiKey(IGetApiKeyRequest request) =>
+			Dispatcher.Dispatch<IGetApiKeyRequest, GetApiKeyRequestParameters, GetApiKeyResponse>(
+				request,
+				(p, d) => LowLevelDispatch.XpackSecurityGetApiKeyDispatch<GetApiKeyResponse>(p)
+			);
+
+		/// <inheritdoc cref="GetApiKey(System.Func{Nest.GetApiKeyDescriptor,Nest.IGetApiKeyRequest})" />
+		public Task<IGetApiKeyResponse> GetApiKeyAsync(
+			Func<GetApiKeyDescriptor, IGetApiKeyRequest> selector = null,
+			CancellationToken cancellationToken = default(CancellationToken)
+		) =>
+			GetApiKeyAsync(selector.InvokeOrDefault(new GetApiKeyDescriptor()), cancellationToken);
+
+		/// <inheritdoc cref="GetApiKey(System.Func{Nest.GetApiKeyDescriptor,Nest.IGetApiKeyRequest})" />
+		public Task<IGetApiKeyResponse> GetApiKeyAsync(IGetApiKeyRequest request,
+			CancellationToken cancellationToken = default(CancellationToken)
+		) =>
+			Dispatcher
+				.DispatchAsync<IGetApiKeyRequest, GetApiKeyRequestParameters, GetApiKeyResponse, IGetApiKeyResponse>(
+					request,
+					cancellationToken,
+					(p, d, c) => LowLevelDispatch.XpackSecurityGetApiKeyDispatchAsync<GetApiKeyResponse>(p, c)
+				);
+	}
+}
diff --git a/src/Nest/XPack/Security/ApiKey/GetApiKey/GetApiKeyRequest.cs b/src/Nest/XPack/Security/ApiKey/GetApiKey/GetApiKeyRequest.cs
new file mode 100644
index 00000000000..7c3cea8b760
--- /dev/null
+++ b/src/Nest/XPack/Security/ApiKey/GetApiKey/GetApiKeyRequest.cs
@@ -0,0 +1,9 @@
+namespace Nest
+{
+	public partial interface IGetApiKeyRequest { }
+
+	public partial class GetApiKeyRequest { }
+
+	[DescriptorFor("XpackSecurityGetApiKey")]
+	public partial class GetApiKeyDescriptor { }
+}
diff --git a/src/Nest/XPack/Security/ApiKey/GetApiKey/GetApiKeyResponse.cs b/src/Nest/XPack/Security/ApiKey/GetApiKey/GetApiKeyResponse.cs
new file mode 100644
index 00000000000..e221a92efaa
--- /dev/null
+++ b/src/Nest/XPack/Security/ApiKey/GetApiKey/GetApiKeyResponse.cs
@@ -0,0 +1,68 @@
+using System;
+using System.Collections.Generic;
+using Newtonsoft.Json;
+
+namespace Nest
+{
+	public interface IGetApiKeyResponse : IResponse
+	{
+		/// <summary>
+		/// The list of API keys that were retrieved for this request.
+		/// </summary>
+		[JsonProperty("api_keys")]
+		IReadOnlyCollection<ApiKeys> ApiKeys { get; }
+	}
+
+	public class GetApiKeyResponse : ResponseBase, IGetApiKeyResponse
+	{
+		/// <inheritdoc />
+		public IReadOnlyCollection<ApiKeys> ApiKeys { get; internal set; } = EmptyReadOnly<ApiKeys>.Collection;
+	}
+
+	public class ApiKeys
+	{
+		/// <summary>
+		/// Id for the API key
+		/// </summary>
+		[JsonProperty("id")]
+		public string Id { get; set; }
+
+		/// <summary>
+		/// Name of the API key
+		/// </summary>
+		[JsonProperty("name")]
+		public string Name { get; set; }
+
+		/// <summary>
+		/// Creation time for the API key
+		/// </summary>
+		[JsonProperty("creation")]
+		[JsonConverter(typeof(EpochMillisecondsDateTimeJsonConverter))]
+		public DateTimeOffset Creation { get; set; }
+
+		/// <summary>
+		/// Optional expiration time for the API key in milliseconds
+		/// </summary>
+		[JsonProperty("expiration")]
+		[JsonConverter(typeof(EpochMillisecondsDateTimeJsonConverter))]
+		public DateTimeOffset? Expiration { get; set; }
+
+		/// <summary>
+		/// Invalidation status for the API key. If the key has been invalidated, it has a value of true. Otherwise, it is false.
+		/// </summary>
+		[JsonProperty("invalidated")]
+		public bool Invalidated { get; set; }
+
+		/// <summary>
+		/// Principal for which this API key was created
+		/// </summary>
+		[JsonProperty("username")]
+		public string Username { get; set; }
+
+		/// <summary>
+		/// Realm name of the principal for which this API key was created
+		/// </summary>
+		[JsonProperty("realm")]
+		public string Realm { get; set; }
+	}
+}
diff --git a/src/Nest/XPack/Security/ApiKey/InvalidateApiKey/ElasticClient-InvalidateApiKey.cs b/src/Nest/XPack/Security/ApiKey/InvalidateApiKey/ElasticClient-InvalidateApiKey.cs
new file mode 100644
index 00000000000..1104d7fc509
--- /dev/null
+++ b/src/Nest/XPack/Security/ApiKey/InvalidateApiKey/ElasticClient-InvalidateApiKey.cs
@@ -0,0 +1,62 @@
+using System;
+using System.Threading;
+using System.Threading.Tasks;
+using Elasticsearch.Net;
+
+namespace Nest
+{
+	public partial interface IElasticClient
+	{
+		/// <summary>
+		/// Invalidates one or more API keys.
+		/// </summary>
+		IInvalidateApiKeyResponse InvalidateApiKey(Func<InvalidateApiKeyDescriptor, IInvalidateApiKeyRequest> selector = null);
+
+		/// <inheritdoc cref="InvalidateApiKey(System.Func{InvalidateApiKeyDescriptor,IInvalidateApiKeyRequest})" />
+		IInvalidateApiKeyResponse InvalidateApiKey(IInvalidateApiKeyRequest request);
+
+		/// <inheritdoc cref="InvalidateApiKey(System.Func{InvalidateApiKeyDescriptor,IInvalidateApiKeyRequest})" />
+		Task<IInvalidateApiKeyResponse> InvalidateApiKeyAsync(
+			Func<InvalidateApiKeyDescriptor, IInvalidateApiKeyRequest> selector = null,
+			CancellationToken cancellationToken = default(CancellationToken)
+		);
+
+		/// <inheritdoc cref="InvalidateApiKey(System.Func{InvalidateApiKeyDescriptor,IInvalidateApiKeyRequest})" />
+		Task<IInvalidateApiKeyResponse> InvalidateApiKeyAsync(IInvalidateApiKeyRequest request,
+			CancellationToken cancellationToken = default(CancellationToken)
+		);
+	}
+
+	public partial class ElasticClient
+	{
+		/// <inheritdoc cref="InvalidateApiKey(System.Func{InvalidateApiKeyDescriptor,IInvalidateApiKeyRequest})" />
+		public IInvalidateApiKeyResponse InvalidateApiKey(Func<InvalidateApiKeyDescriptor, IInvalidateApiKeyRequest> selector = null
+		) =>
+			InvalidateApiKey(selector.InvokeOrDefault(new InvalidateApiKeyDescriptor()));
+
+		/// <inheritdoc cref="InvalidateApiKey(System.Func{InvalidateApiKeyDescriptor,IInvalidateApiKeyRequest})" />
+		public IInvalidateApiKeyResponse InvalidateApiKey(IInvalidateApiKeyRequest request) =>
+			Dispatcher.Dispatch<IInvalidateApiKeyRequest, InvalidateApiKeyRequestParameters, InvalidateApiKeyResponse>(
+				request,
+				LowLevelDispatch.XpackSecurityInvalidateApiKeyDispatch<InvalidateApiKeyResponse>
+			);
+
+		/// <inheritdoc cref="InvalidateApiKey(System.Func{InvalidateApiKeyDescriptor,IInvalidateApiKeyRequest})" />
+		public Task<IInvalidateApiKeyResponse> InvalidateApiKeyAsync(
+			Func<InvalidateApiKeyDescriptor, IInvalidateApiKeyRequest> selector = null,
+			CancellationToken cancellationToken = default(CancellationToken)
+		) =>
+			InvalidateApiKeyAsync(selector.InvokeOrDefault(new InvalidateApiKeyDescriptor()), cancellationToken);
+
+		/// <inheritdoc cref="InvalidateApiKey(System.Func{InvalidateApiKeyDescriptor,IInvalidateApiKeyRequest})" />
+		public Task<IInvalidateApiKeyResponse> InvalidateApiKeyAsync(IInvalidateApiKeyRequest request,
+			CancellationToken cancellationToken = default(CancellationToken)
+		) =>
+			Dispatcher
+				.DispatchAsync<IInvalidateApiKeyRequest, InvalidateApiKeyRequestParameters, InvalidateApiKeyResponse, IInvalidateApiKeyResponse>(
+					request,
+					cancellationToken,
+					LowLevelDispatch.XpackSecurityInvalidateApiKeyDispatchAsync<InvalidateApiKeyResponse>
+				);
+	}
+}
diff --git a/src/Nest/XPack/Security/ApiKey/InvalidateApiKey/InvalidateApiKeyRequest.cs b/src/Nest/XPack/Security/ApiKey/InvalidateApiKey/InvalidateApiKeyRequest.cs
new file mode 100644
index 00000000000..f1b4ed1bb64
--- /dev/null
+++ b/src/Nest/XPack/Security/ApiKey/InvalidateApiKey/InvalidateApiKeyRequest.cs
@@ -0,0 +1,74 @@
+using Newtonsoft.Json;
+
+namespace Nest
+{
+	public partial interface IInvalidateApiKeyRequest
+	{
+		/// <summary>
+		/// An API key id. This parameter cannot be used with any of Name, RealmName or Username are used.
+		/// </summary>
+		[JsonProperty("id")]
+		string Id { get; set; }
+
+		/// <summary>
+		/// An API key name. This parameter cannot be used with any of Id, RealmName or Username are used.
+		/// </summary>
+		[JsonProperty("name")]
+		string Name { get; set; }
+
+		/// <summary>
+		/// The name of an authentication realm. This parameter cannot be used with either Id or Name.
+		/// </summary>
+		[JsonProperty("realm_name")]
+		string RealmName { get; set; }
+
+		/// <summary>
+		/// The username of a user. This parameter cannot be used with either Id or Name.
+		/// </summary>
+		[JsonProperty("username")]
+		string Username { get; set; }
+	}
+
+	public partial class InvalidateApiKeyRequest
+	{
+		/// <inheritdoc />
+		public string Id { get; set; }
+
+		/// <inheritdoc />
+		public string Name { get; set; }
+
+		/// <inheritdoc />
+		public string RealmName { get; set; }
+
+		/// <inheritdoc />
+		public string Username { get; set; }
+	}
+
+	[DescriptorFor("XpackSecurityInvalidateApiKey")]
+	public partial class InvalidateApiKeyDescriptor
+	{
+		/// <inheritdoc />
+		string IInvalidateApiKeyRequest.Id { get; set; }
+
+		/// <inheritdoc />
+		string IInvalidateApiKeyRequest.Name { get; set; }
+
+		/// <inheritdoc />
+		string IInvalidateApiKeyRequest.RealmName { get; set; }
+
+		/// <inheritdoc />
+		string IInvalidateApiKeyRequest.Username { get; set; }
+
+		/// <inheritdoc cref="IInvalidateApiKeyRequest.Id" />
+		public InvalidateApiKeyDescriptor Id(string id) => Assign(id, (a, v) => a.Id = v);
+
+		/// <inheritdoc cref="IInvalidateApiKeyRequest.Name" />
+		public InvalidateApiKeyDescriptor Name(string name) => Assign(name, (a, v) => a.Name = v);
+
+		/// <inheritdoc cref="IInvalidateApiKeyRequest.RealmName" />
+		public InvalidateApiKeyDescriptor RealmName(string realmName) => Assign(realmName, (a, v) => a.RealmName = v);
+
+		/// <inheritdoc cref="IInvalidateApiKeyRequest.Username" />
+		public InvalidateApiKeyDescriptor Username(string username) => Assign(username, (a, v) => a.Username = v);
+	}
+}
diff --git a/src/Nest/XPack/Security/ApiKey/InvalidateApiKey/InvalidateApiKeyResponse.cs b/src/Nest/XPack/Security/ApiKey/InvalidateApiKey/InvalidateApiKeyResponse.cs
new file mode 100644
index 00000000000..47427b282da
--- /dev/null
+++ b/src/Nest/XPack/Security/ApiKey/InvalidateApiKey/InvalidateApiKeyResponse.cs
@@ -0,0 +1,48 @@
+using System.Collections.Generic;
+using Elasticsearch.Net;
+using Newtonsoft.Json;
+
+namespace Nest
+{
+	public interface IInvalidateApiKeyResponse : IResponse
+	{
+		/// <summary>
+		/// The ids of the API keys that were invalidated as part of this request.
+		/// </summary>
+		[JsonProperty("invalidated_api_keys")]
+		IReadOnlyCollection<string> InvalidatedApiKeys { get; }
+
+		/// <summary>
+		/// The ids of the API keys that were already invalidated.
+		/// </summary>
+		[JsonProperty("previously_invalidated_api_keys")]
+		IReadOnlyCollection<string> PreviouslyInvalidatedApiKeys { get; }
+
+		/// <summary>
+		/// The number of errors that were encountered when invalidating the API keys.
+		/// </summary>
+		[JsonProperty("error_count")]
+		int? ErrorCount { get; }
+
+		/// <summary>
+		/// Details about these errors. This field is not present in the response when there are no errors.
+		/// </summary>
+		[JsonProperty("error_details")]
+		IReadOnlyCollection<ErrorCause> ErrorDetails { get; }
+	}
+
+	public class InvalidateApiKeyResponse : ResponseBase, IInvalidateApiKeyResponse
+	{
+		/// <inheritdoc />
+		public IReadOnlyCollection<string> InvalidatedApiKeys { get; internal set; } = EmptyReadOnly<string>.Collection;
+
+		/// <inheritdoc />
+		public IReadOnlyCollection<string> PreviouslyInvalidatedApiKeys { get; internal set; } = EmptyReadOnly<string>.Collection;
+
+		/// <inheritdoc />
+		public int? ErrorCount { get; internal set; }
+
+		/// <inheritdoc />
+		public IReadOnlyCollection<ErrorCause> ErrorDetails { get; internal set; } = EmptyReadOnly<ErrorCause>.Collection;
+	}
+}
diff --git a/src/Nest/_Generated/_Descriptors.generated.cs b/src/Nest/_Generated/_Descriptors.generated.cs
index 6f2307e0e6a..d42f19f87b4 100644
--- a/src/Nest/_Generated/_Descriptors.generated.cs
+++ b/src/Nest/_Generated/_Descriptors.generated.cs
@@ -4962,6 +4962,40 @@ public StopRollupJobDescriptor(Id id) : base(r=>r.Required("id", id)){}
 		///<summary>Block for (at maximum) the specified duration while waiting for the job to stop.  Defaults to 30s.</summary>
 		public StopRollupJobDescriptor Timeout(Time timeout) => Qs("timeout", timeout);
 	}
+	///<summary>descriptor for XpackSecurityCreateApiKey <pre>https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-create-api-key.html</pre></summary>
+	public partial class CreateApiKeyDescriptor  : RequestDescriptorBase<CreateApiKeyDescriptor,CreateApiKeyRequestParameters, ICreateApiKeyRequest>, ICreateApiKeyRequest
+	{ 
+		// values part of the url path
+
+		// Request parameters
+
+		///<summary>If `true` (the default) then refresh the affected shards to make this operation visible to search, if `wait_for` then wait for a refresh to make this operation visible to search, if `false` then do nothing with refreshes.</summary>
+		public CreateApiKeyDescriptor Refresh(Refresh? refresh) => Qs("refresh", refresh);
+	}
+	///<summary>descriptor for XpackSecurityGetApiKey <pre>https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-get-api-key.html</pre></summary>
+	public partial class GetApiKeyDescriptor  : RequestDescriptorBase<GetApiKeyDescriptor,GetApiKeyRequestParameters, IGetApiKeyRequest>, IGetApiKeyRequest
+	{ 
+		// values part of the url path
+
+		// Request parameters
+
+		///<summary>API key id of the API key to be retrieved</summary>
+		public GetApiKeyDescriptor Id(string id) => Qs("id", id);
+		///<summary>API key name of the API key to be retrieved</summary>
+		public GetApiKeyDescriptor Name(string name) => Qs("name", name);
+		///<summary>user name of the user who created this API key to be retrieved</summary>
+		public GetApiKeyDescriptor Username(string username) => Qs("username", username);
+		///<summary>realm name of the user who created this API key to be retrieved</summary>
+		public GetApiKeyDescriptor RealmName(string realmName) => Qs("realm_name", realmName);
+	}
+	///<summary>descriptor for XpackSecurityInvalidateApiKey <pre>https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-invalidate-api-key.html</pre></summary>
+	public partial class InvalidateApiKeyDescriptor  : RequestDescriptorBase<InvalidateApiKeyDescriptor,InvalidateApiKeyRequestParameters, IInvalidateApiKeyRequest>, IInvalidateApiKeyRequest
+	{ 
+		// values part of the url path
+
+		// Request parameters
+
+	}
 	///<summary>descriptor for XpackSecurityAuthenticate <pre>https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-authenticate.html</pre></summary>
 	public partial class AuthenticateDescriptor  : RequestDescriptorBase<AuthenticateDescriptor,AuthenticateRequestParameters, IAuthenticateRequest>, IAuthenticateRequest
 	{ 
diff --git a/src/Nest/_Generated/_LowLevelDispatch.generated.cs b/src/Nest/_Generated/_LowLevelDispatch.generated.cs
index 47a3d4a3c90..10c4c9712bd 100644
--- a/src/Nest/_Generated/_LowLevelDispatch.generated.cs
+++ b/src/Nest/_Generated/_LowLevelDispatch.generated.cs
@@ -4642,6 +4642,70 @@ internal partial class LowLevelDispatch
 			throw InvalidDispatch("XpackRollupStopJob", p, new [] { POST }, "/_xpack/rollup/job/{id}/_stop");
 		}
 		
+		internal TResponse XpackSecurityCreateApiKeyDispatch<TResponse>(IRequest<CreateApiKeyRequestParameters> p,SerializableData<ICreateApiKeyRequest> body) where TResponse : class, IElasticsearchResponse, new()
+		{
+			switch(p.HttpMethod)
+			{
+				case PUT:
+						return _lowLevel.XpackSecurityCreateApiKey<TResponse>(body,p.RequestParameters);
+				case POST:
+						return _lowLevel.XpackSecurityCreateApiKeyPost<TResponse>(body,p.RequestParameters);
+			}
+			throw InvalidDispatch("XpackSecurityCreateApiKey", p, new [] { PUT, POST }, "/_security/api_key");
+		}
+		
+		internal Task<TResponse> XpackSecurityCreateApiKeyDispatchAsync<TResponse>(IRequest<CreateApiKeyRequestParameters> p,SerializableData<ICreateApiKeyRequest> body, CancellationToken ct) where TResponse : class, IElasticsearchResponse, new()
+		{
+			switch(p.HttpMethod)
+			{
+				case PUT:
+						return _lowLevel.XpackSecurityCreateApiKeyAsync<TResponse>(body,p.RequestParameters,ct);
+				case POST:
+						return _lowLevel.XpackSecurityCreateApiKeyPostAsync<TResponse>(body,p.RequestParameters,ct);
+			}
+			throw InvalidDispatch("XpackSecurityCreateApiKey", p, new [] { PUT, POST }, "/_security/api_key");
+		}
+		
+		internal TResponse XpackSecurityGetApiKeyDispatch<TResponse>(IRequest<GetApiKeyRequestParameters> p) where TResponse : class, IElasticsearchResponse, new()
+		{
+			switch(p.HttpMethod)
+			{
+				case GET:
+						return _lowLevel.XpackSecurityGetApiKey<TResponse>(p.RequestParameters);
+			}
+			throw InvalidDispatch("XpackSecurityGetApiKey", p, new [] { GET }, "/_security/api_key");
+		}
+		
+		internal Task<TResponse> XpackSecurityGetApiKeyDispatchAsync<TResponse>(IRequest<GetApiKeyRequestParameters> p, CancellationToken ct) where TResponse : class, IElasticsearchResponse, new()
+		{
+			switch(p.HttpMethod)
+			{
+				case GET:
+						return _lowLevel.XpackSecurityGetApiKeyAsync<TResponse>(p.RequestParameters,ct);
+			}
+			throw InvalidDispatch("XpackSecurityGetApiKey", p, new [] { GET }, "/_security/api_key");
+		}
+		
+		internal TResponse XpackSecurityInvalidateApiKeyDispatch<TResponse>(IRequest<InvalidateApiKeyRequestParameters> p,SerializableData<IInvalidateApiKeyRequest> body) where TResponse : class, IElasticsearchResponse, new()
+		{
+			switch(p.HttpMethod)
+			{
+				case DELETE:
+						return _lowLevel.XpackSecurityInvalidateApiKey<TResponse>(body,p.RequestParameters);
+			}
+			throw InvalidDispatch("XpackSecurityInvalidateApiKey", p, new [] { DELETE }, "/_security/api_key");
+		}
+		
+		internal Task<TResponse> XpackSecurityInvalidateApiKeyDispatchAsync<TResponse>(IRequest<InvalidateApiKeyRequestParameters> p,SerializableData<IInvalidateApiKeyRequest> body, CancellationToken ct) where TResponse : class, IElasticsearchResponse, new()
+		{
+			switch(p.HttpMethod)
+			{
+				case DELETE:
+						return _lowLevel.XpackSecurityInvalidateApiKeyAsync<TResponse>(body,p.RequestParameters,ct);
+			}
+			throw InvalidDispatch("XpackSecurityInvalidateApiKey", p, new [] { DELETE }, "/_security/api_key");
+		}
+		
 		internal TResponse XpackSecurityAuthenticateDispatch<TResponse>(IRequest<AuthenticateRequestParameters> p) where TResponse : class, IElasticsearchResponse, new()
 		{
 			switch(p.HttpMethod)
diff --git a/src/Nest/_Generated/_Requests.generated.cs b/src/Nest/_Generated/_Requests.generated.cs
index ae618a6f728..6483e1bb956 100644
--- a/src/Nest/_Generated/_Requests.generated.cs
+++ b/src/Nest/_Generated/_Requests.generated.cs
@@ -1371,6 +1371,23 @@ public CountRequest(Indices index, Types type) : base(r=>r.Optional("index", ind
 		public long? TerminateAfter { get => Q<long?>("terminate_after"); set => Q("terminate_after", value); }
 	}
 	[JsonObject(MemberSerialization = MemberSerialization.OptIn)]
+	public partial interface ICreateApiKeyRequest : IRequest<CreateApiKeyRequestParameters>
+	{
+	}
+	///<summary>Request parameters for XpackSecurityCreateApiKey <pre>https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-create-api-key.html</pre></summary>
+	public partial class CreateApiKeyRequest : PlainRequestBase<CreateApiKeyRequestParameters>, ICreateApiKeyRequest
+	{
+		protected ICreateApiKeyRequest Self => this;
+		// values part of the url path
+
+		// Request parameters
+		///<summary>
+		/// If `true` (the default) then refresh the affected shards to make this operation visible to search, if `wait_for` then wait for a refresh
+		/// to make this operation visible to search, if `false` then do nothing with refreshes.
+		///</summary>
+		public Refresh? Refresh { get => Q<Refresh?>("refresh"); set => Q("refresh", value); }
+	}
+	[JsonObject(MemberSerialization = MemberSerialization.OptIn)]
 	public partial interface ICreateAutoFollowPatternRequest : IRequest<CreateAutoFollowPatternRequestParameters>
 	{
 		Name Name { get; }
@@ -2838,6 +2855,26 @@ public GetAnomalyRecordsRequest(Id job_id) : base(r=>r.Required("job_id", job_id
 		// Request parameters
 	}
 	[JsonObject(MemberSerialization = MemberSerialization.OptIn)]
+	public partial interface IGetApiKeyRequest : IRequest<GetApiKeyRequestParameters>
+	{
+	}
+	///<summary>Request parameters for XpackSecurityGetApiKey <pre>https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-get-api-key.html</pre></summary>
+	public partial class GetApiKeyRequest : PlainRequestBase<GetApiKeyRequestParameters>, IGetApiKeyRequest
+	{
+		protected IGetApiKeyRequest Self => this;
+		// values part of the url path
+
+		// Request parameters
+		///<summary>API key id of the API key to be retrieved</summary>
+		public string Id { get => Q<string>("id"); set => Q("id", value); }
+		///<summary>API key name of the API key to be retrieved</summary>
+		public string Name { get => Q<string>("name"); set => Q("name", value); }
+		///<summary>user name of the user who created this API key to be retrieved</summary>
+		public string Username { get => Q<string>("username"); set => Q("username", value); }
+		///<summary>realm name of the user who created this API key to be retrieved</summary>
+		public string RealmName { get => Q<string>("realm_name"); set => Q("realm_name", value); }
+	}
+	[JsonObject(MemberSerialization = MemberSerialization.OptIn)]
 	public partial interface IGetAutoFollowPatternRequest : IRequest<GetAutoFollowPatternRequestParameters>
 	{
 		Name Name { get; }
@@ -4028,6 +4065,18 @@ public IndicesStatsRequest(Indices index, IndicesStatsMetric metric) : base(r=>r
 		public bool? IncludeSegmentFileSizes { get => Q<bool?>("include_segment_file_sizes"); set => Q("include_segment_file_sizes", value); }
 	}
 	[JsonObject(MemberSerialization = MemberSerialization.OptIn)]
+	public partial interface IInvalidateApiKeyRequest : IRequest<InvalidateApiKeyRequestParameters>
+	{
+	}
+	///<summary>Request parameters for XpackSecurityInvalidateApiKey <pre>https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-invalidate-api-key.html</pre></summary>
+	public partial class InvalidateApiKeyRequest : PlainRequestBase<InvalidateApiKeyRequestParameters>, IInvalidateApiKeyRequest
+	{
+		protected IInvalidateApiKeyRequest Self => this;
+		// values part of the url path
+
+		// Request parameters
+	}
+	[JsonObject(MemberSerialization = MemberSerialization.OptIn)]
 	public partial interface IInvalidateUserAccessTokenRequest : IRequest<InvalidateUserAccessTokenRequestParameters>
 	{
 	}
diff --git a/src/Tests/Tests/XPack/Security/ApiKey/SecurityApiKeyTests.cs b/src/Tests/Tests/XPack/Security/ApiKey/SecurityApiKeyTests.cs
new file mode 100644
index 00000000000..f98aefc8fb4
--- /dev/null
+++ b/src/Tests/Tests/XPack/Security/ApiKey/SecurityApiKeyTests.cs
@@ -0,0 +1,299 @@
+using System;
+using System.Threading.Tasks;
+using Elastic.Xunit.XunitPlumbing;
+using Elasticsearch.Net;
+using FluentAssertions;
+using Nest;
+using Tests.Core.ManagedElasticsearch.Clusters;
+using Tests.Framework;
+using Tests.Framework.EndpointTests.TestState;
+using Tests.Framework.Integration;
+
+namespace Tests.XPack.ApiKey
+{
+	[SkipVersion("<6.7.0", "Security Api Keys are modelled against 6.7.0")]
+	public class SecurityApiKeyTests : CoordinatedIntegrationTestBase<XPackCluster>
+	{
+		private const string PutRoleStep = nameof(PutRoleStep);
+		private const string PutUserStep = nameof(PutUserStep);
+		private const string PutPrivilegesStep = nameof(PutPrivilegesStep);
+		private const string CreateApiKeyWithRolesStep = nameof(CreateApiKeyWithRolesStep);
+		private const string CreateApiKeyWithNoRolesStep = nameof(CreateApiKeyWithNoRolesStep);
+		private const string GetApiKeyStep = nameof(GetApiKeyStep);
+		private const string InvalidateApiKeyStep = nameof(InvalidateApiKeyStep);
+
+		public SecurityApiKeyTests(XPackCluster cluster, EndpointUsage usage) : base(new CoordinatedUsage(cluster, usage)
+		{
+			{
+				PutRoleStep, u =>
+					u.Calls<PutRoleDescriptor, PutRoleRequest, IPutRoleRequest, IPutRoleResponse>(
+						v => new PutRoleRequest($"role-{v}")
+						{
+							Cluster = new[] { "all" },
+							Indices = new IIndicesPrivileges[]
+							{
+								new IndicesPrivileges
+								{
+									Names = "*",
+									Privileges = new [] { "all" }
+								}
+							},
+							Applications = new IApplicationPrivileges[]
+							{
+								new ApplicationPrivileges
+								{
+									Application = $"app-{v}",
+									Privileges = new [] { "*" },
+									Resources = new [] { "*" }
+								}
+							}
+						},
+						(v, d) => d
+							.Cluster("all")
+							.Indices(i => i.Add<object>(p => p.Names("*").Privileges("all")))
+							.Applications(i => i.Add<object>(p => p.Application($"app-{v}").Privileges("*").Resources("*")))
+						,
+						(v, c, f) => c.PutRole($"role-{v}", f),
+						(v, c, f) => c.PutRoleAsync($"role-{v}", f),
+						(v, c, r) => c.PutRole(r),
+						(v, c, r) => c.PutRoleAsync(r)
+					)
+			},
+			{
+				PutUserStep, u =>
+					u.Calls<PutUserDescriptor, PutUserRequest, IPutUserRequest, IPutUserResponse>(
+						v => new PutUserRequest($"user-{v}")
+						{
+							Password = "password",
+							Roles = new[] { $"role-{v}", "superuser" },
+							FullName = "API key user"
+						},
+						(v, d) => d
+							.Password("password")
+							.Roles($"role-{v}", "superuser")
+							.FullName("API key user")
+						,
+						(v, c, f) => c.PutUser($"user-{v}", f),
+						(v, c, f) => c.PutUserAsync($"user-{v}", f),
+						(v, c, r) => c.PutUser(r),
+						(v, c, r) => c.PutUserAsync(r)
+					)
+			},
+			{
+				PutPrivilegesStep, u =>
+					u.Calls<PutPrivilegesDescriptor, PutPrivilegesRequest, IPutPrivilegesRequest, IPutPrivilegesResponse>(
+						v => new PutPrivilegesRequest
+						{
+							Applications = new AppPrivileges
+							{
+								{
+									$"app-{v}", new Privileges
+									{
+										{
+											$"read", new PrivilegesActions
+											{
+												Actions = new[] { "data:read/*" }
+											}
+										},
+										{
+											$"write", new PrivilegesActions
+											{
+												Actions = new[] { "data:write/*" }
+											}
+										}
+									}
+								}
+							}
+						},
+						(v, d) => d
+							.Applications(a => a
+								.Application($"app-{v}", pr => pr
+									.Privilege($"read", ac => ac
+										.Actions("data:read/*")
+									)
+									.Privilege($"write", ac => ac
+										.Actions("data:write/*")
+									)
+								)
+							)
+						,
+						(v, c, f) => c.PutPrivileges(f),
+						(v, c, f) => c.PutPrivilegesAsync(f),
+						(v, c, r) => c.PutPrivileges(r),
+						(v, c, r) => c.PutPrivilegesAsync(r)
+					)
+			},
+			{
+				CreateApiKeyWithRolesStep, u =>
+					u.Calls<CreateApiKeyDescriptor, CreateApiKeyRequest, ICreateApiKeyRequest, ICreateApiKeyResponse>(
+						v => new CreateApiKeyRequest
+						{
+							Name = v,
+							Expiration = "1d",
+							Roles = new ApiKeyRoles
+							{
+								{
+									"role-a", new ApiKeyRole
+												{
+													Cluster = new[] { "all" },
+													Index = new []
+													{
+														new ApiKeyPrivileges
+														{
+															Names = new [] { "index-a*" },
+															Privileges = new[] { "read" }
+														}
+													}
+												}
+								},
+								{
+									"role-b", new ApiKeyRole
+												{
+													Cluster = new[] { "all" },
+													Index = new []
+													{
+														new ApiKeyPrivileges
+														{
+															Names = new [] { "index-b*" },
+															Privileges = new[] { "read" }
+														}
+													}
+												}
+								}
+							},
+							RequestConfiguration = new RequestConfiguration
+							{
+								BasicAuthenticationCredentials = new BasicAuthenticationCredentials
+								{
+									Username = $"user-{v}",
+									Password = "password"
+								}
+							}
+						},
+						(v, d) => d
+							.Name(v)
+							.Expiration("1d")
+							.Roles(r => r.Role("role-a", o => o.Cluster("all").Indices(i => i.Index(k => k.Names("index-a").Privileges("read"))))
+								         .Role("role-b", o => o.Cluster("all").Indices(i => i.Index(k => k.Names("index-b").Privileges("read")))))
+							.RequestConfiguration(r => r.BasicAuthentication($"user-{v}", "password"))
+						,
+						(v, c, f) => c.CreateApiKey(f),
+						(v, c, f) => c.CreateApiKeyAsync(f),
+						(v, c, r) => c.CreateApiKey(r),
+						(v, c, r) => c.CreateApiKeyAsync(r)
+					)
+			},
+			{
+				CreateApiKeyWithNoRolesStep, u =>
+					u.Calls<CreateApiKeyDescriptor, CreateApiKeyRequest, ICreateApiKeyRequest, ICreateApiKeyResponse>(
+						v => new CreateApiKeyRequest
+						{
+							Name = v,
+							Expiration = "1d",
+							RequestConfiguration = new RequestConfiguration
+							{
+								BasicAuthenticationCredentials = new BasicAuthenticationCredentials
+								{
+									Username = $"user-{v}",
+									Password = "password"
+								}
+							}
+						},
+						(v, d) => d
+							.Name(v)
+							.Expiration("1d")
+							.RequestConfiguration(r => r.BasicAuthentication($"user-{v}", "password"))
+						,
+						(v, c, f) => c.CreateApiKey(f),
+						(v, c, f) => c.CreateApiKeyAsync(f),
+						(v, c, r) => c.CreateApiKey(r),
+						(v, c, r) => c.CreateApiKeyAsync(r)
+					)
+			},
+			{
+				GetApiKeyStep, u =>
+					u.Calls<GetApiKeyDescriptor, GetApiKeyRequest, IGetApiKeyRequest, IGetApiKeyResponse>(
+						v => new GetApiKeyRequest
+						{
+							Name = v,
+							RequestConfiguration = new RequestConfiguration
+							{
+								BasicAuthenticationCredentials = new BasicAuthenticationCredentials
+								{
+									Username = $"user-{v}",
+									Password = "password"
+								}
+							}
+						},
+						(v, d) => d
+							.Name(v)
+							.RequestConfiguration(r => r.BasicAuthentication($"user-{v}", "password"))
+						,
+						(v, c, f) => c.GetApiKey(f),
+						(v, c, f) => c.GetApiKeyAsync(f),
+						(v, c, r) => c.GetApiKey(r),
+						(v, c, r) => c.GetApiKeyAsync(r)
+					)
+			},
+			{
+				InvalidateApiKeyStep, u =>
+					u.Calls<InvalidateApiKeyDescriptor, InvalidateApiKeyRequest, IInvalidateApiKeyRequest, IInvalidateApiKeyResponse>(
+						v => new InvalidateApiKeyRequest
+						{
+							Name = v,
+							RequestConfiguration = new RequestConfiguration
+							{
+								BasicAuthenticationCredentials = new BasicAuthenticationCredentials
+								{
+									Username = $"user-{v}",
+									Password = "password"
+								}
+							}
+						},
+						(v, d) => d
+							.Name(v)
+							.RequestConfiguration(r => r.BasicAuthentication($"user-{v}", "password"))
+						,
+						(v, c, f) => c.InvalidateApiKey(f),
+						(v, c, f) => c.InvalidateApiKeyAsync(f),
+						(v, c, r) => c.InvalidateApiKey(r),
+						(v, c, r) => c.InvalidateApiKeyAsync(r)
+					)
+			}
+		}) { }
+
+		[I] public async Task SecurityCreateApiKeyResponse() => await Assert<CreateApiKeyResponse>(CreateApiKeyWithRolesStep, r =>
+		{
+			r.IsValid.Should().BeTrue();
+			r.Id.Should().NotBeNullOrEmpty();
+			r.Name.Should().NotBeNullOrEmpty();
+			r.Expiration.Should().NotBeNull();
+			r.ApiKey.Should().NotBeNullOrEmpty();
+		});
+
+		[I] public async Task SecurityGetApiKeyResponse() => await Assert<GetApiKeyResponse>(GetApiKeyStep, r =>
+		{
+			r.IsValid.Should().BeTrue();
+			r.ApiKeys.Should().NotBeNullOrEmpty();
+
+			foreach (var apiKey in r.ApiKeys)
+			{
+				apiKey.Id.Should().NotBeNullOrEmpty();
+				apiKey.Name.Should().NotBeNullOrEmpty();
+				apiKey.Creation.Should().BeBefore(DateTimeOffset.UtcNow);
+				apiKey.Expiration.Should().BeAfter(DateTimeOffset.UtcNow);
+				apiKey.Invalidated.Should().Be(false);
+				apiKey.Username.Should().NotBeNullOrEmpty();
+				apiKey.Realm.Should().NotBeNullOrEmpty();
+			}
+		});
+
+		[I] public async Task SecurityInvalidateApiKeyResponse() => await Assert<InvalidateApiKeyResponse>(InvalidateApiKeyStep, r =>
+		{
+			r.IsValid.Should().BeTrue();
+			r.ErrorCount.Should().Be(0);
+			r.PreviouslyInvalidatedApiKeys.Should().BeEmpty();
+			r.InvalidatedApiKeys.Should().HaveCount(2);
+		});
+	}
+}
diff --git a/src/Tests/Tests/XPack/Security/ApiKey/SecurityApiKeyUrlTests.cs b/src/Tests/Tests/XPack/Security/ApiKey/SecurityApiKeyUrlTests.cs
new file mode 100644
index 00000000000..12400724c51
--- /dev/null
+++ b/src/Tests/Tests/XPack/Security/ApiKey/SecurityApiKeyUrlTests.cs
@@ -0,0 +1,34 @@
+using System.Threading.Tasks;
+using Elastic.Xunit.XunitPlumbing;
+using Nest;
+using Tests.Framework;
+
+namespace Tests.XPack.Security.ApiKey
+{
+	public class SecurityApiKeyUrlTests : UrlTestsBase
+	{
+		[U] public override async Task Urls() => await UrlTester.DELETE("/_security/api_key")
+			.Fluent(c => c.InvalidateApiKey())
+			.Request(c => c.InvalidateApiKey(new InvalidateApiKeyRequest()))
+			.FluentAsync(c => c.InvalidateApiKeyAsync())
+			.RequestAsync(c => c.InvalidateApiKeyAsync(new InvalidateApiKeyRequest()));
+	}
+
+	public class SecurityGetApiKeyUrlTests : UrlTestsBase
+	{
+		[U] public override async Task Urls() => await UrlTester.GET("/_security/api_key")
+			.Fluent(c => c.GetApiKey())
+			.Request(c => c.GetApiKey(new GetApiKeyRequest()))
+			.FluentAsync(c => c.GetApiKeyAsync())
+			.RequestAsync(c => c.GetApiKeyAsync(new GetApiKeyRequest()));
+	}
+
+	public class SecurityCreateApiKeyUrlTests : UrlTestsBase
+	{
+		[U] public override async Task Urls() => await UrlTester.PUT("/_security/api_key")
+			.Fluent(c => c.CreateApiKey())
+			.Request(c => c.CreateApiKey(new CreateApiKeyRequest()))
+			.FluentAsync(c => c.CreateApiKeyAsync())
+			.RequestAsync(c => c.CreateApiKeyAsync(new CreateApiKeyRequest()));
+	}
+}