The section Activate central configuration in the docs describes how to retrieve an Elasticsearch API key and how to configure the EDOT collector. The code snippet for the configuration uses bearertokenauth and not apikeyauth.

In Authentication methods, it's mentioned that apikeyauth validates Elasticsearch API keys and that it is used to authenticate requests from EDOT SDKs that use Elasticsearch API keys. The apmconfigextension readme does mention any configauth authenticator is supported and recommends to use apikeyauth.

Following the Authentication methods docs for authentication EDOT SDKs, the configuration of the apikeyauth extension looks like

extensions:
  apikeyauth:
    endpoint: "${ELASTIC_ENDPOINT}"
    application_privileges:
      - application: "apm"
        privileges: ["config_agent:read"]
        resources: ["*"]
...

where as the configuration of the apikeyauth extension in Authentication settings in Default config looks like

extensions:
  apikeyauth:
    endpoint: "<YOUR_ELASTICSEARCH_ENDPOINT>"
    application_privileges:
      - application: "apm"
        privileges:
          - "config_agent:read"
        resources:
          - "-"
   ...

The snippets are inconsistent in the format and for resources there is * used in one snippet and - in the other snippet. Do both values achieve the same result? If yes, it can be confusing to new users that the snippets are not aligned in terms of format and values.

What needs to be clarified is how the snippet in central configuration should look like. What is the authenticator to use and to be consistent with the rest of the documentation and to be complete. Should it look like this (untested)?

extensions:
  apikeyauth:
    endpoint: "${ELASTIC_ENDPOINT}"
    application_privileges:
      - application: "apm"
        privileges: ["config_agent:read"]
        resources: ["*"]
  apmconfig:
    opamp:
      protocols:
        http:
          auth:
            authenticator: apikeyauth
   ...

The sample configuration files provided in Default config (Standalone) docs are very useful to new users although they do not include the configuration of the apikeyauth extension.

A piece of information that is not mentioned in the docs (at least I couldn't find it) is how to provide the Elasticsearch API key to the apikeyauth extension.