diff --git a/x-pack/legacy/plugins/security/server/routes/api/external/api_keys/get.js b/x-pack/legacy/plugins/security/server/routes/api/external/api_keys/get.js
index a4692a3253f9c..9f01b6862707e 100644
--- a/x-pack/legacy/plugins/security/server/routes/api/external/api_keys/get.js
+++ b/x-pack/legacy/plugins/security/server/routes/api/external/api_keys/get.js
@@ -4,6 +4,7 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
+import Joi from 'joi';
 import { wrapError } from '../../../../../../../../plugins/security/server';
 
 export function initGetApiKeysApi(server, callWithRequest, routePreCheckLicenseFn) {
@@ -13,14 +14,12 @@ export function initGetApiKeysApi(server, callWithRequest, routePreCheckLicenseF
     async handler(request) {
       try {
         const { isAdmin } = request.query;
-        const path = `/_security/api_key${isAdmin === 'true' ? '' : '?owner=true'}`;
 
         const result = await callWithRequest(
           request,
-          'transport.request',
+          'shield.getAPIKeys',
           {
-            method: 'GET',
-            path,
+            owner: !isAdmin
           }
         );
 
@@ -34,7 +33,12 @@ export function initGetApiKeysApi(server, callWithRequest, routePreCheckLicenseF
       }
     },
     config: {
-      pre: [routePreCheckLicenseFn]
+      pre: [routePreCheckLicenseFn],
+      validate: {
+        query: Joi.object().keys({
+          isAdmin: Joi.bool(),
+        }),
+      },
     }
   });
 }
diff --git a/x-pack/legacy/plugins/security/server/routes/api/external/api_keys/privileges.js b/x-pack/legacy/plugins/security/server/routes/api/external/api_keys/privileges.js
index d4933c36b59f6..b4ffe863d476a 100644
--- a/x-pack/legacy/plugins/security/server/routes/api/external/api_keys/privileges.js
+++ b/x-pack/legacy/plugins/security/server/routes/api/external/api_keys/privileges.js
@@ -15,10 +15,8 @@ export function initCheckPrivilegesApi(server, callWithRequest, routePreCheckLic
         const result = await Promise.all([
           callWithRequest(
             request,
-            'transport.request',
+            'shield.hasPrivileges',
             {
-              method: 'POST',
-              path: '/_security/user/_has_privileges',
               body: {
                 cluster: [
                   'manage_security',
@@ -31,10 +29,9 @@ export function initCheckPrivilegesApi(server, callWithRequest, routePreCheckLic
             try {
               const result = await callWithRequest(
                 request,
-                'transport.request',
+                'shield.getAPIKeys',
                 {
-                  method: 'GET',
-                  path: '/_security/api_key?owner=true',
+                  owner: true
                 }
               );
               //  If the API returns a truthy result that means it's enabled.
diff --git a/x-pack/legacy/server/lib/esjs_shield_plugin.js b/x-pack/legacy/server/lib/esjs_shield_plugin.js
index 880e055c23985..b6252035aa321 100644
--- a/x-pack/legacy/server/lib/esjs_shield_plugin.js
+++ b/x-pack/legacy/server/lib/esjs_shield_plugin.js
@@ -502,6 +502,25 @@
       ]
     });
 
+    /**
+   * Gets API keys in Elasticsearch
+   * @param {boolean} owner A boolean flag that can be used to query API keys owned by the currently authenticated user.
+   * Defaults to false. The realm_name or username parameters cannot be specified when this parameter is set to true as
+   * they are assumed to be the currently authenticated ones.
+   */
+    shield.getAPIKeys = ca({
+      method: 'GET',
+      urls: [{
+        fmt: `/_security/api_key?owner=<%=owner%>`,
+        req: {
+          owner: {
+            type: 'boolean',
+            required: true
+          }
+        }
+      }]
+    });
+
     /**
      * Creates an API key in Elasticsearch for the current user.
      *