diff --git a/docs/changelog/88456.yaml b/docs/changelog/88456.yaml
new file mode 100644
index 0000000000000..bb3a5d1182365
--- /dev/null
+++ b/docs/changelog/88456.yaml
@@ -0,0 +1,5 @@
+pr: 88456
+summary: Audit API key ID when create or grant API keys
+area: Audit
+type: enhancement
+issues: []
diff --git a/x-pack/docs/en/security/auditing/event-types.asciidoc b/x-pack/docs/en/security/auditing/event-types.asciidoc
index 7cc041ff4ccf8..d3e7047eb1113 100644
--- a/x-pack/docs/en/security/auditing/event-types.asciidoc
+++ b/x-pack/docs/en/security/auditing/event-types.asciidoc
@@ -733,7 +733,7 @@ the <<mapping-roles, API request for mapping roles>>.
+
[source,js]
----
-`{"name": <string>, "expiration": <string>, "role_descriptors" [<object>]}`
+`{"id": <string>, "name": <string>, "expiration": <string>, "role_descriptors" [<object>]}`
----
// NOTCONSOLE
+
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrail.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrail.java
index 33f48b65fe9d1..0780be38f4bc2 100644
--- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrail.java
+++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrail.java
@@ -1218,6 +1218,7 @@ LogEntryBuilder withRequestBody(GrantApiKeyRequest grantApiKeyRequest) throws IO
private void withRequestBody(XContentBuilder builder, CreateApiKeyRequest createApiKeyRequest) throws IOException {
TimeValue expiration = createApiKeyRequest.getExpiration();
builder.startObject("apikey")
+ .field("id", createApiKeyRequest.getId())
.field("name", createApiKeyRequest.getName())
.field("expiration", expiration != null ? expiration.toString() : null)
.startArray("role_descriptors");
diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrailTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrailTests.java
index 4ea4ce42a19eb..0128eaf516589 100644
--- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrailTests.java
+++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrailTests.java
@@ -587,8 +587,13 @@ public void testSecurityConfigChangeEventFormattingForRoles() throws IOException
createApiKeyRequest.setRefreshPolicy(randomFrom(WriteRequest.RefreshPolicy.values()));
auditTrail.accessGranted(requestId, authentication, CreateApiKeyAction.NAME, createApiKeyRequest, authorizationInfo);
String expectedCreateKeyAuditEventString = """
- "create":{"apikey":{"name":"%s","expiration":%s,%s}}\
- """.formatted(keyName, expiration != null ? "\"" + expiration + "\"" : "null", roleDescriptorsStringBuilder);
+ "create":{"apikey":{"id":"%s","name":"%s","expiration":%s,%s}}\
+ """.formatted(
+ createApiKeyRequest.getId(),
+ keyName,
+ expiration != null ? "\"" + expiration + "\"" : "null",
+ roleDescriptorsStringBuilder
+ );
List<String> output = CapturingLogger.output(logger.getName(), Level.INFO);
assertThat(output.size(), is(2));
String generatedCreateKeyAuditEventString = output.get(1);
@@ -617,7 +622,9 @@ public void testSecurityConfigChangeEventFormattingForRoles() throws IOException
output = CapturingLogger.output(logger.getName(), Level.INFO);
assertThat(output.size(), is(2));
String generatedGrantKeyAuditEventString = output.get(1);
- StringBuilder grantKeyAuditEventStringBuilder = new StringBuilder().append("\"create\":{\"apikey\":{\"name\":\"")
+ StringBuilder grantKeyAuditEventStringBuilder = new StringBuilder().append("\"create\":{\"apikey\":{\"id\":\"")
+ .append(grantApiKeyRequest.getApiKeyRequest().getId())
+ .append("\",\"name\":\"")
.append(keyName)
.append("\",\"expiration\":")
.append(expiration != null ? "\"" + expiration + "\"" : "null")