diff --git a/docs/reference/central-configuration.md b/docs/reference/central-configuration.md
index 5c3ab433..f181f8e5 100644
--- a/docs/reference/central-configuration.md
+++ b/docs/reference/central-configuration.md
@@ -65,10 +65,51 @@ To activate {{product.apm-agent}} Central Configuration for EDOT SDKs, follow th
 
 You need a valid {{es}} API key to authenticate to the {{es}} endpoint. 
 
-::::{include} _snippets/retrieve-credentials.md
-::::
+:::::
+
+:::::{step} Create an Elasticsearch API key for central configuration
+
+Create an API key with the `config_agent:read` privilege. This API key will be used by EDOT SDKs and validated by the Collector.
+
+Use the following API request to generate the key:
 
-Make sure the API key has `config_agent:read` permissions and resources set to `-`.
+```json
+POST /_security/api_key
+{
+  "name": "apmconfig-opamp-test-sdk",
+  "metadata": {
+    "application": "apm"
+  },
+  "role_descriptors": {
+    "apm": {
+      "cluster": [],
+      "indices": [],
+      "applications": [
+        {
+          "application": "apm",
+          "privileges": [
+            "config_agent:read"
+          ],
+          "resources": [
+            "*"
+          ]
+        }
+      ],
+      "run_as": [],
+      "metadata": {}
+    }
+  }
+}
+```
+
+::::{note}
+The EDOT Collector doesn't store or embed the {{es}} API key.
+
+Each EDOT SDK must send its own API key in the `Authorization` header (for example: `Authorization: ApiKey <Base64(id:key)>`).
+
+The `apikeyauth` extension only validates this API key against {{es}}, ensuring it includes the `config_agent:read` privilege with `resources: ["*"]`.
+::::
+:::::
 
 ::::{dropdown} Example JSON payload
 ```json