elastic · tvernum · Dec 8, 2025 · Nov 11, 2025 · Nov 11, 2025 · Nov 13, 2025
@@ -470,6 +470,13 @@
 
 The OpenID Connect realm is designed to allow users to authenticate to {{kib}}. As a result, most sections of this guide assume {{kib}} is used. This section describes how a custom web application could use the relevant OpenID Connect REST APIs to authenticate the users to {{es}} with OpenID Connect.
 
+::::{note}
+The OpenID Connect protocol enables authentication for interactive users through a web browser. Users must be able to open a login URL in their browser and enter credentials when prompted.
+
+{{es}} does not support using OpenID Connect to authenticate non-interactive users such as service principals or automated processes. If you want to authenticate a service, the [JWT](jwt.md) realm might be a suitable alternative.
+The JWT realm is able to authenticate tokens that are produced by OpenID Connect providers.
+::::
+
 Single sign-on realms such as OpenID Connect and SAML make use of the Token Service in {{es}} and in principle exchange a SAML or OpenID Connect Authentication response for an {{es}} access token and a refresh token. The access token is used as credentials for subsequent calls to {{es}}. The refresh token enables the user to get new {{es}} access tokens after the current one expires.
 
 ::::{note}