diff --git a/deploy-manage/api-keys/elasticsearch-api-keys.md b/deploy-manage/api-keys/elasticsearch-api-keys.md
index e6622c6962..83ba70ed33 100644
--- a/deploy-manage/api-keys/elasticsearch-api-keys.md
+++ b/deploy-manage/api-keys/elasticsearch-api-keys.md
@@ -15,7 +15,7 @@ Several types of {{es}} API keys exist:
 * **Cross-cluster** API key: allows other clusters to connect to this cluster.
 * **Managed** API key: created and managed by {{kib}} to run background tasks.
 
-To manage API keys in {{kib}}, go to the **API Keys** management page using the navigation menu or the [global search field](../../explore-analyze/find-and-organize/find-apps-and-objects.md).
+To manage API keys in {{kib}}, go to **Management > Stack Management > API Keys** from the navigation menu or use the [global search field](../../explore-analyze/find-and-organize/find-apps-and-objects.md).
 
 ![API Keys UI](/deploy-manage/images/kibana-api-keys.png "")
 
@@ -33,23 +33,41 @@ To manage roles, go to the **Roles** management page using the navigation menu o
 
 ## Create an API key [create-api-key]
 
-To create an API key, go to the **API Keys** management page using the navigation menu or the [global search field](../../explore-analyze/find-and-organize/find-apps-and-objects.md), and select **Create API key**.
+Two methods are available to create an API key:
 
-![Create API Key UI](/deploy-manage/images/kibana-create-ccr-api-key.png "")
+* As a quick option to create a personal API key from anywhere in {{kib}}:
+  1. From the **Help menu** (![help icon](/deploy-manage/images/help-icon.svg)), select **Connection details > API key**.  
+  1. Give the key a name.
+  1. Select **Create API key**.
+  
+  Your personal API key is created with a default expiration of 90 days from the time of creation. You can manage the key from the **API Keys** page.
 
-Refer to the [Create API key](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-api-key) documentation to learn more about creating user API keys.
+* To create a personal or cross-cluster API key with configurable options, go to **Management > Stack Management > API Keys** from the navigation menu or use the [global search field](../../explore-analyze/find-and-organize/find-apps-and-objects.md), and select **Create API key**.
 
-Refer to the [Create cross-cluster API key](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-cross-cluster-api-key) documentation to learn more about creating cross-cluster API keys.
+  ![Create API Key UI](/deploy-manage/images/kibana-create-user-api-key.png "")
 
+  1. Choose to create either a user or a cross-cluster API key.
+  2. Optionally, set an expiry date. By default the API key will not expire, but it's a good security practice to give the key a limited lifespan.
+  3. Configure access:
+      * For a user API key, you can opt to configure access to specific {{es}} APIs and resources by assigning the key with predefined roles or custom privileges. Refer to [Defining roles](/deploy-manage/users-roles/cluster-or-deployment-auth/defining-roles.md) and the [Create API key](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-api-key) API documentation to learn more.
+      * For a cross-cluster API key, you can control the indices that other clusters have access to. Refer to the [Create cross-cluster API key](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-cross-cluster-api-key) API documentation to learn more.
+  4. Add any additional metadata about the API as one or more key-value pairs. Refer to the [Create API key](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-api-key) API documentation for examples.
 
 ## Update an API key [update-api-key]
 
-To update an API key, go to the **API Keys** management page using the navigation menu or the [global search field](../../explore-analyze/find-and-organize/find-apps-and-objects.md), and then click on the name of the key. You cannot update the name or the type of API key.
+To update an API key, go to **Management > Stack Management > API Keys** from the navigation menu or use the [global search field](../../explore-analyze/find-and-organize/find-apps-and-objects.md), and then click on the name of the key. You cannot update the name or the type of an API key.
 
-Refer to the [Update API key](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-update-api-key) documentation to learn more about updating user API keys.
-
-Refer to the [Update cross-cluster API key](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-update-cross-cluster-api-key) documentation to learn more about updating cross-cluster API keys.
+* For a user API key, you can update:
+  * The API key's access to {{es}} APIs and resources.
+  * The metadata associated with the key.
+ 
+  Refer to the [Update API key](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-update-api-key) API documentation to learn more.
 
+* For a cross-cluster API key, you can update:
+  * The indices that other clusters have access to.
+  * The metadata associated with the key.
+ 
+  Refer to the [Update cross-cluster API key](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-update-cross-cluster-api-key) API documentation to learn more.
 
 ## View and delete API keys [view-api-keys]
 
diff --git a/deploy-manage/api-keys/serverless-project-api-keys.md b/deploy-manage/api-keys/serverless-project-api-keys.md
index 2657892a4e..54eb9ccd8d 100644
--- a/deploy-manage/api-keys/serverless-project-api-keys.md
+++ b/deploy-manage/api-keys/serverless-project-api-keys.md
@@ -46,9 +46,9 @@ API keys are intended for programmatic access. Don’t use API keys to authentic
 
 
 
-### Restrict privileges [api-keys-restrict-privileges]
+### Control security privileges [api-keys-restrict-privileges]
 
-When you create or update an API key, use **Restrict privileges** to limit the permissions. Define the permissions using a JSON `role_descriptors` object, where you specify one or more roles and the associated privileges.
+When you create or update an API key, use **Control security privileges** to configure access to specific {{es}} APIs and resources. Define the permissions using a JSON `role_descriptors` object, where you specify one or more roles and the associated privileges.
 
 For example, the following `role_descriptors` object defines a `books-read-only` role that limits the API key to `read` privileges on the `books` index.
 
diff --git a/deploy-manage/images/help-icon.svg b/deploy-manage/images/help-icon.svg
new file mode 100644
index 0000000000..41c126555f
--- /dev/null
+++ b/deploy-manage/images/help-icon.svg
@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 16 16" class="euiIcon eui-alignMiddle css-1t0rgrv-euiIcon-m-isLoaded" role="img" data-icon-type="help" data-is-loaded="true" aria-hidden="true"><path fill-rule="evenodd" d="m13.6 12.186-1.357-1.358c-.025-.025-.058-.034-.084-.056.53-.794.84-1.746.84-2.773a4.977 4.977 0 0 0-.84-2.772c.026-.02.059-.03.084-.056L13.6 3.813a6.96 6.96 0 0 1 0 8.373ZM8 15A6.956 6.956 0 0 1 3.814 13.6l1.358-1.358c.025-.025.034-.057.055-.084C6.02 12.688 6.974 13 8 13a4.978 4.978 0 0 0 2.773-.84c.02.026.03.058.056.083l1.357 1.358A6.956 6.956 0 0 1 8 15Zm-5.601-2.813a6.963 6.963 0 0 1 0-8.373l1.359 1.358c.024.025.057.035.084.056A4.97 4.97 0 0 0 3 8c0 1.027.31 1.98.842 2.773-.027.022-.06.031-.084.056l-1.36 1.358Zm5.6-.187A4 4 0 1 1 8 4a4 4 0 0 1 0 8ZM8 1c1.573 0 3.019.525 4.187 1.4l-1.357 1.358c-.025.025-.035.057-.056.084A4.979 4.979 0 0 0 8 3a4.979 4.979 0 0 0-2.773.842c-.021-.027-.03-.059-.055-.084L3.814 2.4A6.957 6.957 0 0 1 8 1Zm0-1a8.001 8.001 0 1 0 .003 16.002A8.001 8.001 0 0 0 8 0Z"></path></svg>
\ No newline at end of file
diff --git a/deploy-manage/images/kibana-create-ccr-api-key.png b/deploy-manage/images/kibana-create-ccr-api-key.png
deleted file mode 100644
index 00b5cf546b..0000000000
Binary files a/deploy-manage/images/kibana-create-ccr-api-key.png and /dev/null differ
diff --git a/deploy-manage/images/kibana-create-user-api-key.png b/deploy-manage/images/kibana-create-user-api-key.png
new file mode 100644
index 0000000000..9d55436177
Binary files /dev/null and b/deploy-manage/images/kibana-create-user-api-key.png differ
diff --git a/deploy-manage/images/serverless-create-personal-api-key.png b/deploy-manage/images/serverless-create-personal-api-key.png
index 1eba110e74..16f432ef82 100644
Binary files a/deploy-manage/images/serverless-create-personal-api-key.png and b/deploy-manage/images/serverless-create-personal-api-key.png differ