diff --git a/docs/user/security/api-keys/images/create-api-key.png b/docs/user/security/api-keys/images/create-api-key.png
index c763dcbfa53f..b0041f69b05b 100644
Binary files a/docs/user/security/api-keys/images/create-api-key.png and b/docs/user/security/api-keys/images/create-api-key.png differ
diff --git a/x-pack/plugins/security/common/model/api_key.ts b/x-pack/plugins/security/common/model/api_key.ts
index f2467468f806..ed622bf0dc87 100644
--- a/x-pack/plugins/security/common/model/api_key.ts
+++ b/x-pack/plugins/security/common/model/api_key.ts
@@ -15,6 +15,7 @@ export interface ApiKey {
   creation: number;
   expiration: number;
   invalidated: boolean;
+  metadata: Record<string, any>;
 }
 
 export interface ApiKeyToInvalidate {
diff --git a/x-pack/plugins/security/public/management/api_keys/api_keys_api_client.ts b/x-pack/plugins/security/public/management/api_keys/api_keys_api_client.ts
index 65540fd7ebfc..96f4506e09b7 100644
--- a/x-pack/plugins/security/public/management/api_keys/api_keys_api_client.ts
+++ b/x-pack/plugins/security/public/management/api_keys/api_keys_api_client.ts
@@ -28,6 +28,7 @@ export interface CreateApiKeyRequest {
   name: string;
   expiration?: string;
   role_descriptors?: ApiKeyRoleDescriptors;
+  metadata?: Record<string, any>;
 }
 
 export interface CreateApiKeyResponse {
diff --git a/x-pack/plugins/security/public/management/api_keys/api_keys_grid/create_api_key_flyout.tsx b/x-pack/plugins/security/public/management/api_keys/api_keys_grid/create_api_key_flyout.tsx
index 27385e4b29b0..e1ffc3b4b351 100644
--- a/x-pack/plugins/security/public/management/api_keys/api_keys_grid/create_api_key_flyout.tsx
+++ b/x-pack/plugins/security/public/management/api_keys/api_keys_grid/create_api_key_flyout.tsx
@@ -45,7 +45,9 @@ export interface ApiKeyFormValues {
   expiration: string;
   customExpiration: boolean;
   customPrivileges: boolean;
+  includeMetadata: boolean;
   role_descriptors: string;
+  metadata: string;
 }
 
 export interface CreateApiKeyFlyoutProps {
@@ -59,30 +61,9 @@ const defaultDefaultValues: ApiKeyFormValues = {
   expiration: '',
   customExpiration: false,
   customPrivileges: false,
-  role_descriptors: JSON.stringify(
-    {
-      'role-a': {
-        cluster: ['all'],
-        indices: [
-          {
-            names: ['index-a*'],
-            privileges: ['read'],
-          },
-        ],
-      },
-      'role-b': {
-        cluster: ['all'],
-        indices: [
-          {
-            names: ['index-b*'],
-            privileges: ['all'],
-          },
-        ],
-      },
-    },
-    null,
-    2
-  ),
+  includeMetadata: false,
+  role_descriptors: '{}',
+  metadata: '{}',
 };
 
 export const CreateApiKeyFlyout: FunctionComponent<CreateApiKeyFlyoutProps> = ({
@@ -227,7 +208,6 @@ export const CreateApiKeyFlyout: FunctionComponent<CreateApiKeyFlyoutProps> = ({
           <EuiSpacer />
           <EuiFormFieldset>
             <EuiSwitch
-              id="apiKeyCustom"
               label={i18n.translate(
                 'xpack.security.accountManagement.createApiKey.customPrivilegesLabel',
                 {
@@ -270,7 +250,6 @@ export const CreateApiKeyFlyout: FunctionComponent<CreateApiKeyFlyoutProps> = ({
           <EuiSpacer />
           <EuiFormFieldset>
             <EuiSwitch
-              name="customExpiration"
               label={i18n.translate(
                 'xpack.security.accountManagement.createApiKey.customExpirationLabel',
                 {
@@ -312,6 +291,48 @@ export const CreateApiKeyFlyout: FunctionComponent<CreateApiKeyFlyoutProps> = ({
             )}
           </EuiFormFieldset>
 
+          <EuiSpacer />
+          <EuiFormFieldset>
+            <EuiSwitch
+              label={i18n.translate(
+                'xpack.security.accountManagement.createApiKey.includeMetadataLabel',
+                {
+                  defaultMessage: 'Include metadata',
+                }
+              )}
+              checked={!!form.values.includeMetadata}
+              onChange={(e) => form.setValue('includeMetadata', e.target.checked)}
+            />
+            {form.values.includeMetadata && (
+              <>
+                <EuiSpacer size="m" />
+                <EuiFormRow
+                  helpText={
+                    <DocLink
+                      app="elasticsearch"
+                      doc="security-api-create-api-key.html#security-api-create-api-key-request-body"
+                    >
+                      <FormattedMessage
+                        id="xpack.security.accountManagement.createApiKey.metadataHelpText"
+                        defaultMessage="Learn how to structure metadata."
+                      />
+                    </DocLink>
+                  }
+                  error={form.errors.metadata}
+                  isInvalid={form.touched.metadata && !!form.errors.metadata}
+                >
+                  <CodeEditorField
+                    value={form.values.metadata!}
+                    onChange={(value) => form.setValue('metadata', value)}
+                    languageId="xjson"
+                    height={200}
+                  />
+                </EuiFormRow>
+                <EuiSpacer size="s" />
+              </>
+            )}
+          </EuiFormFieldset>
+
           {/* Hidden submit button is required for enter key to trigger form submission */}
           <input type="submit" hidden />
         </EuiForm>
@@ -363,6 +384,28 @@ export function validate(values: ApiKeyFormValues) {
     }
   }
 
+  if (values.includeMetadata) {
+    if (!values.metadata) {
+      errors.metadata = i18n.translate(
+        'xpack.security.management.apiKeys.createApiKey.metadataRequired',
+        {
+          defaultMessage: 'Enter metadata or disable this option.',
+        }
+      );
+    } else {
+      try {
+        JSON.parse(values.metadata);
+      } catch (e) {
+        errors.metadata = i18n.translate(
+          'xpack.security.management.apiKeys.createApiKey.invalidJsonError',
+          {
+            defaultMessage: 'Enter valid JSON.',
+          }
+        );
+      }
+    }
+  }
+
   return errors;
 }
 
@@ -374,5 +417,6 @@ export function mapValues(values: ApiKeyFormValues): CreateApiKeyRequest {
       values.customPrivileges && values.role_descriptors
         ? JSON.parse(values.role_descriptors)
         : undefined,
+    metadata: values.includeMetadata && values.metadata ? JSON.parse(values.metadata) : undefined,
   };
 }
diff --git a/x-pack/plugins/security/server/authentication/api_keys/api_keys.ts b/x-pack/plugins/security/server/authentication/api_keys/api_keys.ts
index 83bc5a26ead3..026de4a97842 100644
--- a/x-pack/plugins/security/server/authentication/api_keys/api_keys.ts
+++ b/x-pack/plugins/security/server/authentication/api_keys/api_keys.ts
@@ -30,15 +30,21 @@ export interface CreateAPIKeyParams {
   name: string;
   role_descriptors: Record<string, any>;
   expiration?: string;
+  metadata?: Record<string, any>;
 }
 
-interface GrantAPIKeyParams {
-  api_key: CreateAPIKeyParams;
-  grant_type: 'password' | 'access_token';
-  username?: string;
-  password?: string;
-  access_token?: string;
-}
+type GrantAPIKeyParams =
+  | {
+      api_key: CreateAPIKeyParams;
+      grant_type: 'password';
+      username: string;
+      password: string;
+    }
+  | {
+      api_key: CreateAPIKeyParams;
+      grant_type: 'access_token';
+      access_token: string;
+    };
 
 /**
  * Represents the params for invalidating multiple API keys
diff --git a/x-pack/plugins/security/server/routes/api_keys/create.test.ts b/x-pack/plugins/security/server/routes/api_keys/create.test.ts
index 8e34ededdd8f..502a7cb1246c 100644
--- a/x-pack/plugins/security/server/routes/api_keys/create.test.ts
+++ b/x-pack/plugins/security/server/routes/api_keys/create.test.ts
@@ -85,6 +85,9 @@ describe('Create API Key route', () => {
         role_descriptors: {
           role_1: {},
         },
+        metadata: {
+          foo: 'bar',
+        },
       };
 
       const request = httpServerMock.createKibanaRequest({
diff --git a/x-pack/plugins/security/server/routes/api_keys/create.ts b/x-pack/plugins/security/server/routes/api_keys/create.ts
index a309d3a0e3ed..b9e927592a49 100644
--- a/x-pack/plugins/security/server/routes/api_keys/create.ts
+++ b/x-pack/plugins/security/server/routes/api_keys/create.ts
@@ -29,6 +29,7 @@ export function defineCreateApiKeyRoutes({
               defaultValue: {},
             }
           ),
+          metadata: schema.maybe(schema.object({}, { unknowns: 'allow' })),
         }),
       },
     },
diff --git a/x-pack/test/api_integration/apis/security/api_keys.ts b/x-pack/test/api_integration/apis/security/api_keys.ts
index c6513fa800c1..c79c4f3eaa88 100644
--- a/x-pack/test/api_integration/apis/security/api_keys.ts
+++ b/x-pack/test/api_integration/apis/security/api_keys.ts
@@ -46,6 +46,23 @@ export default function ({ getService }: FtrProviderContext) {
             expect(name).to.eql('test_api_key');
           });
       });
+
+      it('should allow an API Key to be created with metadata', async () => {
+        await supertest
+          .post('/internal/security/api_key')
+          .set('kbn-xsrf', 'xxx')
+          .send({
+            name: 'test_api_key_with_metadata',
+            metadata: {
+              foo: 'bar',
+            },
+          })
+          .expect(200)
+          .then((response: Record<string, any>) => {
+            const { name } = response.body;
+            expect(name).to.eql('test_api_key_with_metadata');
+          });
+      });
     });
   });
 }