Dynatrace API - Tokens and authentication
To be authenticated to use the Dynatrace API, you need a valid access token or a valid personal access token. Access to the API is fine-grained, meaning that you also need the proper scopes assigned to the token. See the description of each request to find out which scopes are required to use it.
Token format
Dynatrace uses a unique token format consisting of three components separated by dots (.).
Token example
dt0s01.ST2EY72KQINMH574WMNVI7YN.G3DFPBEJYMODIDAEX454M7YWBUVEFOWKPRVMWFASS64NFH52PX6BNDVFFM572RZM
Token components
| Component name | Component description |
|---|---|
prefix | The prefix identifies the token type. In our example: See Token prefixes below for a table of standard prefixes. |
public portion | The public portion of the token is a 24-character public identifier. In our example: |
The token identifier is the combination of the prefix and the public portion. A token identifier can be safely displayed in the UI and can be used for logging purposes. In our example: | |
secret portion | The secret portion of the token is a 64-character string that should be treated like a password:
In our example: |
Token prefixes
| Prefix | Description |
|---|---|
| This is an API token. It's used as an authorization method: a valid token allows the user to make changes within the Dynatrace account through SCIM.
|
| OAuth2 Clients created by users through Account Management to be used with Dynatrace Apps and Account Management API. |
| OAuth2 Clients for internal and external services and integrations. |
| Chat and identity linking. |
| This is an OAuth2 Refresh Token, which is used to retrieve a new Access Token and generally changes frequently (typically every 5 to 15 minutes). |
| OAuth2 Clients for internal and external services and integrations. |
| Chat and identity linking. |
Generate a token
To generate an access token
- In the Dynatrace menu, select Access tokens.
- Select Generate new token.
- Enter a name for your token.
Dynatrace doesn't enforce unique token names. You can create multiple tokens with the same name. Be sure to provide a meaningful name for each token you generate. Proper naming helps you to efficiently manage your tokens and perhaps delete them when they're no longer needed. - Select the required scopes for the token.
- Select Generate token.
- Copy the generated token to the clipboard. Store the token in a password manager for future use.
You can only access your token once upon creation. You can't reveal it afterward.
To generate a personal access token
- Open the user menu
in the upper-right corner of the Dynatrace web UI and select Personal access tokens. - Select Generate new token.
- Enter a name for your token.
Dynatrace doesn't enforce unique token names. You can create multiple tokens with the same name. Be sure to provide a meaningful name for each token you generate. Proper naming helps you to efficiently manage your tokens and perhaps delete them when they're no longer needed. - Select the required scopes for the token.
- Select Generate token.
- Copy the generated token to the clipboard. Store the token in a password manager for future use.
You can only access your token once upon creation. You can't reveal it afterward.
You can assign multiple scopes to a single token, or you can generate several tokens, each with different access levels and use them accordingly—check your organization's security policies for the best practice.
To change the scope of an existing token, use the PUT a token call of the Access tokens API. Note that you need to submit the existing scopes if you want to keep them. Any existing scope missing in the payload is removed.
Alternatively, you can use the POST a token call to generate a token.
Token scopes
Dynatrace provides the following permissions for API tokens. You can set them in the web UI as described above or via the Access tokens API. Some scopes are only available via API.
| Name | API value | Description |
|---|---|---|
API v2 | ||
Read metrics |
| Grants access to GET requests of the Metrics API v2. |
Write metrics |
| Grants access to the DELETE a custom metric request of the Metrics API v2. |
Ingest metrics |
| Grants access to the POST ingest data points request of the Metrics v2 API as well as the OpenTelemetry metrics ingest API. |
Read logs |
| Grants access to the GET requests of the Log Monitoring API v2 |
Ingest logs |
| Grants access to the POST ingest logs request of the Log Monitoring API v2. |
Ingest OpenTelemetry traces |
| Allows to ingest OpenTelemetry traces. |
Look up a single trace |
| Checks for the presence of a trace in cross-environment tracing. |
Read entities |
| Grants access to GET requests of the Monitored entities and Custom tags APIs. |
Write entities |
| Grants access to POST, PUT, and DELETE requests of the Monitored entities and Custom tags APIs. |
Read problems |
| Grants access to GET requests of the Problems API v2. |
Write problems |
| Grants access to POST, PUT, and DELETE requests of the Problems API v2. |
Read events |
| Grants access to GET requests of the Events API v2. |
Ingest events |
| Grants access to POST request of the Events API v2. |
Read network zones |
| Grants access to GET requests of the Network zones API. |
Write network zones |
| Grants access to POST, PUT, and DELETE requests of the Network zones API. |
Read ActiveGates |
| Grants access to GET requests of the ActiveGates API. |
Write ActiveGates |
| Grants access to POST and DELETE requests of the ActiveGates API. |
Read ActiveGate tokens |
| Grants access to GET requests of the ActiveGate tokens API. |
Create ActiveGate tokens |
| Grants access to the POST request of the ActiveGate tokens API. |
Write ActiveGate tokens |
| Grants access to POST and DELETE requests of the ActiveGate tokens API. |
Read extensions |
| Grants access to GET requests from the Extensions section of the Extensions 2.0 API. |
Write extensions |
| Grants access to POST and DELETE requests from the Extensions section of the Extensions 2.0 API. |
Read extensions environment configuration |
| Grants access to GET requests from the Extensions environment configuration section of the Extensions 2.0 API. |
Write extensions environment configuration |
| Grants access to POST, PUT, and DELETE requests from the Extensions environment configuration section of the Extensions 2.0 API. |
Read extensions monitoring configuration |
| Grants access to GET requests from the Extensions monitoring configuration section of the Extensions 2.0 API. |
Write extensions monitoring configuration |
| Grants access to POST, PUT, and DELETE requests from the Extensions monitoring configuration section of the Extensions 2.0 API. |
Read security problems |
| Grants access to GET requests of the Security problems API. |
Write security problems |
| Grants access to POST requests of the Security problems API. |
Read synthetic locations |
| Grants access to GET requests of the Synthetic locations API v2 and Synthetic nodes API v2. |
Write synthetic locations |
| Grants access to POST, PUT, and DELETE requests of the Synthetic locations API v2 and Synthetic nodes API v2. |
Read settings |
| Grants access to GET requests of the Settings API. |
Write settings |
| Grants access to POST and DELETE requests of the Settings API. |
Tenant token rotation |
| Grants access to the Tenant tokens API. |
Read SLO |
| Grants access to GET requests of the Service-level objectives API. |
Write SLO |
| Grants access to POST, PUT, and DELETE requests of the Service-level objectives API. |
Read API tokens |
| Grants access to GET requests of the Access tokens API. |
Write API tokens |
| Grants access to POST, PUT, and DELETE requests of the Access tokens API. |
Read releases |
| Grants access to the Releases API. |
Read audit logs |
| Grants access to the audit log. |
Read Geographic regions |
| Grants access to the Geographic regions API. |
Read synthetic monitor execution results |
| Grants access to GET requests of the |
Write synthetic monitor execution results |
| Grants access to POST request of |
Read credential vault entries |
| Grants access to GET requests of the Credential vault API. |
Write credential vault entries |
| Grants access to POST, PUT, and DELETE requests of the Credential vault API. |
API v1 | ||
Access problems and event feed, metrics, and topology |
| Grants access to various calls of Environment API. |
Create and read synthetic monitors, locations, and nodes |
| Grants access to the Synthetic API. |
Read synthetic monitors, locations, and nodes |
| Grants access to GET requests of Synthetic API. |
Read configuration |
| Grants access to GET calls of Configuration API. |
Write configuration |
| Grants access to POST, PUT, and DELETE calls of Configuration API. |
Change data privacy settings |
| Grants access to Data privacy API and data privacy calls of Web application configuration API. |
User sessions |
| Grants access to User sessions API. |
Anonymize user sessions for data privacy reasons |
| Grants access to Anonymization API. |
Mobile symbol file management |
| Grants access to Mobile symbolication API. |
Real User Monitoring JavaScript tag management |
| Grants access to Real User Monitoring JavaScript API. |
ActiveGate certificate management |
| Allows to configure certificate on private ActiveGates. |
Data ingest |
| Allows to import data and events from external sources. |
Fetch data from a remote environment |
| Allows to fetch data from remote Dynatrace environments for multi-environment dashboarding. |
Capture request data |
| Grants access to Request attributes API. |
Read log content |
| Grants access to Log Monitoring API. |
RUM browser extension |
| Allows the RUM browser extension to send data to Dynatrace. |
Read OneAgents |
| Grants access to GET requests of the OneAgents API. |
Write OneAgents |
| Grants access to POST and DELETE requests of the OneAgents API. |
PaaS | ||
Download OneAgent and ActiveGate installers |
| Allows download of installers via Deployment API. |
Create support alerts |
| Allows creation of support alerts for crash analysis. |
Other | ||
Upload plugins using the command line |
| Allows to upload OneAgent extensions via Extension SDK. |
Dynatrace provides the following permissions for personal access tokens. You can set them in the web UI as described above or via the Access tokens API.
| Name | API value | Description |
|---|---|---|
Read API tokens |
| Grants access to GET requests of the Access tokens API. |
Write API tokens |
| Grants access to POST, PUT, and DELETE requests of the Access tokens API. |
Read entities |
| Grants access to GET requests of the Monitored entities and Custom tags APIs. |
Write entities |
| Grants access to POST, PUT, and DELETE requests of the Monitored entities and Custom tags APIs. |
Read metrics |
| Grants access to GET requests of the Metrics API v2. |
Write metrics |
| Grants access to the DELETE a custom metric request of the Metrics API v2. |
Read network zones |
| Grants access to GET requests of the Network zones API. |
Write network zones |
| Grants access to POST, PUT, and DELETE requests of the Network zones API. |
Read problems |
| Grants access to GET requests of the Problems API v2. |
Write problems |
| Grants access to POST, PUT, and DELETE requests of the Problems API v2. |
Read releases |
| Grants access to the Releases API. |
Read security problems |
| Grants access to GET requests of the Security problems API. |
Write security problems |
| Grants access to POST requests of the Security problems API. |
Read settings |
| Grants access to GET requests of the Settings API. |
Write settings |
| Grants access to POST and DELETE requests of the Settings API. |
Read SLO |
| Grants access to GET requests of the Service-level objectives API. |
Write SLO |
| Grants access to POST, PUT, and DELETE requests of the Service-level objectives API. |
Authenticate
You have two options to pass your API token: in the Authorization HTTP header or in the api-token query parameter.
We recommend that you use the Authorization header, as URLs (along with tokens passed within them) might be logged in various locations. Users might also bookmark the URLs or share them in plain text. Therefore, placing authentication tokens into the URL increases the risk that they will be captured by an attacker.
You can authenticate by attaching the token to the Authorization HTTP header preceding the Api-Token realm.
--header 'Authorization: Api-Token dt0c01.abc123.abcdefjhij1234567890'The following example shows authentication via HTTP header.
curl --request GET \
--url https://mySampleEnv.live.dynatrace.com/api/v1/config/clusterversion \
--header 'Authorization: Api-Token dt0c01.abc123.abcdefjhij1234567890' \You can authenticate by adding the token as the value of the api-token query parameter.
curl --request GET \
--url 'https://mySampleEnv.live.dynatrace.com/api/v1/config/clusterversion?api-token=abcdefjhij1234567890' \Authentication in the API Explorer
Select the lock 
icon next to any end point to display information about the API tokens that secure that endpoint. Each endpoint requires a specific token type.
You can also unlock all endpoints by selecting Authorize. In the displayed dialog, you can then see which token permissions are necessary for each API endpoint. By entering your API token into the global Available authorizations dialog, you can unlock all related API endpoints.