elastic · ersin-erdal · Feb 21, 2026 · Feb 23, 2026 · Feb 23, 2026 · Feb 23, 2026
@@ -1364,7 +1364,8 @@
     "status",
     "taskType",
     "userScope",
-    "userScope.apiKeyId"
+    "userScope.apiKeyId",
+    "userScope.uiamApiKeyId"
   ],
   "telemetry": [],
   "threshold-explorer-view": [],

@@ -4545,6 +4545,9 @@
         "properties": {
           "apiKeyId": {
             "type": "keyword"
+          },
+          "uiamApiKeyId": {
+            "type": "keyword"
           }
         }
       }

@@ -0,0 +1,59 @@
+{
+  "10.8.0": [
+    {
+      "taskType": "string",
+      "scheduledAt": "string",
+      "startedAt": "string?|null",
+      "retryAt": "string?|null",
+      "runAt": "string",
+      "params": "string",
+      "state": "string",
+      "stateVersion": "number?",
+      "traceparent": "string",
+      "user": "string?",
+      "scope": "array?",
+      "ownerId": "string?|null",
+      "enabled": "boolean?",
+      "timeoutOverride": "string?",
+      "attempts": "number",
+      "status": "idle|claiming|running|failed|unrecognized|dead_letter",
+      "version": "string?",
+      "partition": "number?",
+      "priority": "number?",
+      "interval": "string",
+      "apiKey": "string?",
+      "userScope": "object?",
+      "schedule": "object?",
+      "cost": "tiny?|normal?|extralarge?"
+    }
+  ],
+  "10.9.0": [
+    {
+      "taskType": "string",
+      "scheduledAt": "string",
+      "startedAt": "string?|null",
+      "retryAt": "string?|null",
+      "runAt": "string",
+      "params": "string",
+      "state": "string",
+      "stateVersion": "number?",
+      "traceparent": "string",
+      "user": "string?",
+      "scope": "array?",
+      "ownerId": "string?|null",
+      "enabled": "boolean?",
+      "timeoutOverride": "string?",
+      "attempts": "number",
+      "status": "idle|claiming|running|failed|unrecognized|dead_letter",
+      "version": "string?",
+      "partition": "number?",
+      "priority": "number?",
+      "interval": "string",
+      "apiKey": "string?",
+      "uiamApiKey": "string?",
+      "userScope": "object?",
+      "schedule": "object?",
+      "cost": "tiny?|normal?|extralarge?"
+    }
+  ]
+}
@@ -194,7 +194,7 @@ describe('checking migration metadata changes on all registered SO types', () =>
         "synthetics-private-location": "f5efabeefafbb12ed0809db3cd04f893ff9099ead8f526be82a9b0348e444f65",
         "synthetics-privates-locations": "42aebb3aa4f3710a3e270d54bf33718a4d1d7a983556a51f75bd96b1e4fdf048",
         "tag": "03a522e92aed789a4bbf1a5dd19159c3ec061cb052337df9270728def4b3bbe0",
-        "task": "52bb9355724d6546a8e485c161c7f039493acb79e913b31ce1d0b9839fe38117",
+        "task": "fe51599351dcfeee24deba348992b20f7ebe9bfcd89c7c301fd76c09dad275fe",
         "telemetry": "fb5e3ce0b2955f10aa8cd75fdafdd0559bf5d77eaf6e2c228079684f01f28fbd",
         "threshold-explorer-view": "9b0a770f5444531f92dd50832dcf655cb0c9cd7f18af205338e0c9d73c6df6a6",
         "trial-companion-nba-milestone": "83f29f99e2ffaf00ed8e05f3366ed0df1fb36a77193aeb151e13bae8b1d9692f",
@@ -1272,8 +1272,9 @@ describe('checking migration metadata changes on all registered SO types', () =>
         "tag|schemas: da39a3ee5e6b4b0d3255bfef95601890afd80709",
         "=====================================================",
         "task|global: 8277e4031824bb161fa73897294701786c15eb9a",
-        "task|mappings: 02ff4224787d1516899101bacf1c411fa0149383",
+        "task|mappings: a4616c952ab46648bba6f807a339d76b1388078e",
         "task|schemas: da39a3ee5e6b4b0d3255bfef95601890afd80709",
+        "task|10.9.0: f3b8db51d31abd44fa578686d0b2227de056323ae7cff62a48c335b6d9846507",
         "task|10.8.0: deed2eb105aa3f19fa1827868c6b5569523624614fb73a8fcb8600d86c0dface",
         "task|10.7.0: 6afacb50669e4a3ebd48d5790d1677c138885b1540acf5e832dbe8dc82e7cd5c",
         "task|10.6.0: a554a701424daf84a260b61390464deb9296c7372ac3438301c2fb046ded11f9",
@@ -1530,7 +1531,7 @@ describe('checking migration metadata changes on all registered SO types', () =>
         "synthetics-private-location": "10.0.0",
         "synthetics-privates-locations": "10.1.0",
         "tag": "10.0.0",
-        "task": "10.8.0",
+        "task": "10.9.0",
         "telemetry": "10.0.0",
         "threshold-explorer-view": "10.0.0",
         "trial-companion-nba-milestone": "10.1.0",
@@ -1694,7 +1695,7 @@ describe('checking migration metadata changes on all registered SO types', () =>
         "synthetics-private-location": "0.0.0",
         "synthetics-privates-locations": "10.1.0",
         "tag": "0.0.0",
-        "task": "10.8.0",
+        "task": "10.9.0",
         "telemetry": "0.0.0",
         "threshold-explorer-view": "0.0.0",
         "trial-companion-nba-milestone": "10.1.0",

@@ -31,15 +31,15 @@ export class TaskManagerDependenciesPlugin {
   public setup(_: CoreSetup, plugin: TaskManagerDependenciesPluginSetup) {
     plugin.encryptedSavedObjects.registerType({
       type: 'task',
-      attributesToEncrypt: new Set(['apiKey']),
+      attributesToEncrypt: new Set(['apiKey', 'uiamApiKey']),
       attributesToIncludeInAAD: new Set(['id', 'taskType']),
       enforceRandomId: false,
     });
 
     plugin.taskManager.registerCanEncryptedSavedObjects(plugin.encryptedSavedObjects.canEncrypt);
   }
 
-  public start(_: CoreStart, plugin: TaskManagerDependenciesPluginStart) {
+  public start(core: CoreStart, plugin: TaskManagerDependenciesPluginStart) {
     plugin.taskManager.registerEncryptedSavedObjectsClient(
       plugin.encryptedSavedObjects.getClient({
         includedHiddenTypes: ['task'],
@@ -48,5 +48,6 @@ export class TaskManagerDependenciesPlugin {
     plugin.taskManager.registerApiKeyInvalidateFn(
       plugin.security?.authc.apiKeys.invalidateAsInternalUser
     );
+    plugin.taskManager.registerUiamApiKeyInvalidateFn(core.security.authc.apiKeys.uiam?.invalidate);
   }
 }
@@ -83,7 +83,7 @@ describe('checking changes on all registered encrypted SO types', () => {
         "synthetics-monitor": "f1c060b7be3b30187c4adcb35d74f1fa8a4290bd7faf04fec869de2aa387e21b",
         "synthetics-monitor-multi-space": "39c4c6abd28c4173f77c1c89306e92b6b92492c0029274e10620a170be4d4a67",
         "synthetics-param": "747ba9d1b7addf5b131713abe7868bd767af6ce0cf8b6b0f335f4ef34b280c7e",
-        "task": "2d8e9bf532f469805b82051f545b915785d99eabfa050cb1aefbc715c6096b97",
+        "task": "d6cc30871dc78caf3f451de1275a3803879ec9935b4a2e34076dee56878c228f",
         "uptime-synthetics-api-key": "5ca81f180763e85397fa8c6508adcd60efd0f916e29bac6dcd5b4564f1db7375",
         "user_connector_token": "b443b022b46b79c0ff9fa674aecc64176a5fcbd09c2db2d9f050a6a88435732e",
       }
@@ -150,6 +150,7 @@ describe('checking changes on all registered encrypted SO types', () => {
         "oauth_state|1",
         "synthetics-monitor|2",
         "synthetics-monitor|1",
+        "task|9",
         "task|8",
         "task|7",
         "task|6",

diff --git a/x-pack/platform/plugins/shared/task_manager/moon.yml b/x-pack/platform/plugins/shared/task_manager/moon.yml
@@ -49,6 +49,7 @@ dependsOn:
   - '@kbn/licensing-types'
   - '@kbn/lazy-object'
   - '@kbn/security-plugin-types-server'
+  - '@kbn/core-security-server'
   - '@kbn/connector-specs'
   - '@kbn/es-errors'
   - '@kbn/core-execution-context-server-mocks'

@@ -30,7 +30,7 @@ export type ApiKeyInvalidationFn = (
 export type UiamApiKeyInvalidationFn = (
   request: KibanaRequest,
   params: InvalidateUiamAPIKeyParams
-) => Promise<InvalidateAPIKeyResult | null>;
+) => Promise<InvalidateAPIKeyResult | null> | undefined;
 
 export async function scheduleInvalidateApiKeyTask(
   logger: Logger,
@@ -54,6 +54,7 @@ interface RegisterInvalidateApiKeyTaskOpts {
   configInterval: string;
   coreStartServices: () => Promise<[CoreStart, TaskManagerPluginsStart, TaskManagerStartContract]>;
   invalidateApiKeyFn?: ApiKeyInvalidationFn;
+  invalidateUiamApiKeyFn?: UiamApiKeyInvalidationFn;
   logger: Logger;
   removalDelay: string;
   taskTypeDictionary: TaskTypeDictionary;
@@ -65,6 +66,7 @@ export function registerInvalidateApiKeyTask(opts: RegisterInvalidateApiKeyTaskO
     configInterval,
     coreStartServices,
     invalidateApiKeyFn,
+    invalidateUiamApiKeyFn,
     removalDelay,
     taskTypeDictionary,
   } = opts;
@@ -76,6 +78,7 @@ export function registerInvalidateApiKeyTask(opts: RegisterInvalidateApiKeyTaskO
         configInterval,
         coreStartServices,
         invalidateApiKeyFn,
+        invalidateUiamApiKeyFn,
         removalDelay,
       }),
     },
@@ -84,11 +87,23 @@ export function registerInvalidateApiKeyTask(opts: RegisterInvalidateApiKeyTaskO
 
 type InvalidateApiKeysTaskRunnerOpts = Pick<
   RegisterInvalidateApiKeyTaskOpts,
-  'logger' | 'configInterval' | 'coreStartServices' | 'invalidateApiKeyFn' | 'removalDelay'
+  | 'logger'
+  | 'configInterval'
+  | 'coreStartServices'
+  | 'invalidateApiKeyFn'
+  | 'invalidateUiamApiKeyFn'
+  | 'removalDelay'
 >;
 
 export function taskRunner(opts: InvalidateApiKeysTaskRunnerOpts) {
-  const { logger, configInterval, coreStartServices, invalidateApiKeyFn, removalDelay } = opts;
+  const {
+    logger,
+    configInterval,
+    coreStartServices,
+    invalidateApiKeyFn,
+    invalidateUiamApiKeyFn,
+    removalDelay,
+  } = opts;
   return () => {
     return {
       async run() {
@@ -100,6 +115,7 @@ export function taskRunner(opts: InvalidateApiKeysTaskRunnerOpts) {
 
           const totalInvalidated = await runInvalidate({
             invalidateApiKeyFn,
+            invalidateUiamApiKeyFn,
             logger,
             removalDelay,
             savedObjectsClient,
@@ -109,6 +125,10 @@ export function taskRunner(opts: InvalidateApiKeysTaskRunnerOpts) {
                 type: TASK_SO_NAME,
                 apiKeyAttributePath: `${TASK_SO_NAME}.attributes.userScope.apiKeyId`,
               },
+              {
+                type: TASK_SO_NAME,
+                apiKeyAttributePath: `${TASK_SO_NAME}.attributes.userScope.uiamApiKeyId`,
+              },
             ],
           });