diff --git a/changelogs/head.asciidoc b/changelogs/head.asciidoc
index 82ce9f2decb..4690ae719cc 100644
--- a/changelogs/head.asciidoc
+++ b/changelogs/head.asciidoc
@@ -36,6 +36,7 @@ https://github.com/elastic/apm-server/compare/7.12\...master[View commits]
 * The server now responds with a reason for some 401 Unauthorized requests {pull}5053[5053]
 * Add `session.id` and `session.sequence` fields for RUM session tracking {pull}5056[5056]
 * Support for ingesting `user.domain` {pull}5067[5067]
+* Add `"application": "apm"` metadata to API Keys created with `apm-server apikey create` {pull}5090[5090]
 * API Key auth is no longer considered experimental {pull}5091[5091]
 
 [float]
diff --git a/cmd/apikey.go b/cmd/apikey.go
index df0cdd58814..d254672213a 100644
--- a/cmd/apikey.go
+++ b/cmd/apikey.go
@@ -320,6 +320,7 @@ PUT /_security/role/my_role {
 				},
 			},
 		},
+		Metadata: map[string]interface{}{"application": "apm"},
 	}
 	if expiry != "" {
 		apikeyRequest.Expiration = &expiry
diff --git a/elasticsearch/security_api.go b/elasticsearch/security_api.go
index cd052ad4ee0..12fcf53e0ff 100644
--- a/elasticsearch/security_api.go
+++ b/elasticsearch/security_api.go
@@ -67,9 +67,10 @@ func HasPrivileges(ctx context.Context, client Client, privileges HasPrivilegesR
 }
 
 type CreateAPIKeyRequest struct {
-	Name            string         `json:"name"`
-	Expiration      *string        `json:"expiration,omitempty"`
-	RoleDescriptors RoleDescriptor `json:"role_descriptors"`
+	Name            string                 `json:"name"`
+	Expiration      *string                `json:"expiration,omitempty"`
+	RoleDescriptors RoleDescriptor         `json:"role_descriptors"`
+	Metadata        map[string]interface{} `json:"metadata,omitempty"`
 }
 
 type CreateAPIKeyResponse struct {
@@ -121,9 +122,10 @@ type Application struct {
 
 type APIKeyResponse struct {
 	APIKey
-	Creation    int64  `json:"creation"`
-	Invalidated bool   `json:"invalidated"`
-	Username    string `json:"username"`
+	Creation    int64                  `json:"creation"`
+	Invalidated bool                   `json:"invalidated"`
+	Username    string                 `json:"username"`
+	Metadata    map[string]interface{} `json:"metadata,omitempty"`
 }
 
 type APIKeyQuery struct {
diff --git a/systemtest/apikeycmd_test.go b/systemtest/apikeycmd_test.go
index 1d08f5681da..dd836af7a50 100644
--- a/systemtest/apikeycmd_test.go
+++ b/systemtest/apikeycmd_test.go
@@ -19,6 +19,7 @@ package systemtest_test
 
 import (
 	"bytes"
+	"context"
 	"encoding/json"
 	"io"
 	"net/http"
@@ -76,6 +77,21 @@ func TestAPIKeyCreate(t *testing.T) {
 
 	es := systemtest.NewElasticsearchClientWithAPIKey(attrs["credentials"].(string))
 	assertAuthenticateSucceeds(t, es)
+
+	// Check that the API Key has expected metadata.
+	type apiKey struct {
+		ID       string                 `json:"id"`
+		Metadata map[string]interface{} `json:"metadata"`
+	}
+	var resp struct {
+		APIKeys []apiKey `json:"api_keys"`
+	}
+	_, err = systemtest.Elasticsearch.Do(context.Background(), &esapi.SecurityGetAPIKeyRequest{
+		ID: attrs["id"].(string),
+	}, &resp)
+	require.NoError(t, err)
+	require.Len(t, resp.APIKeys, 1)
+	assert.Equal(t, map[string]interface{}{"application": "apm"}, resp.APIKeys[0].Metadata)
 }
 
 func TestAPIKeyCreateExpiration(t *testing.T) {