Dynatrace API - Tokens and authentication

To be authenticated to use the Dynatrace API, you need a valid API token or a valid personal access token. Access to the API is fine-grained, meaning that you also need the proper permissions assigned to the token. See the description of each request to find out which permissions are required to use it.

Token format

Dynatrace uses a unique token format consisting of three components separated by dots (.).

dt0c01.ST2EY72KQINMH574WMNVI7YN.G3DFPBEJYMODIDAEX454M7YWBUVEFOWKPRVMWFASS64NFH52PX6BNDVFFM572RZM

dt0c01 Prefix to identify the token.
ST2...7YN

Public portion of token

A 24-character public identifier of the token. This value can be safely displayed in the UI and can be used for logging purposes.

G3D...RZM

Secret portion of token

A 64-character secret portion of the token, which can be treated like a password and therefore doesn’t need to be displayed in the Dynatrace web UI (following initial creation) or stored in log files.

Generate a token

To generate an API token

  1. In the Dynatrace menu, select Settings.

  2. Go to Integration > Dynatrace API.

  3. Select Generate token.

  4. Enter a name for your token.

  5. Select the required permissions for the token.

  6. Select Generate.

  7. Copy the generated token to the clipboard. Store the token in a password manager for future use.

    You can only access your token once upon creation. You can't reveal it afterwards.

You can assign multiple permissions to a single token, or you can generate several tokens, each with different access levels and use them accordingly—check your organization's security policies for the best practice.

Alternatively, you can use the POST a token call of the API authentication tokens API to generate a token.

Dynatrace doesn't enforce unique token names. You can create multiple tokens with the same name. Be sure to provide a meaningful name for each token you generate. Proper naming helps you to efficiently manage your tokens and perhaps delete them when they're no longer needed.

Token permissions

Dynatrace provides the following permissions for API tokens. You can set them in the UI as described above or via the API authentication tokens API. Some scopes are only available via API.

Name API value Description

API v2

Read metrics metrics.read Grants access to GET requests of the Metrics API v2.
Write metrics metrics.write Grants access to the DELETE a custom metric request of the Metrics API v2.
Ingest metrics metrics.ingest Grants access to the POST ingest data points request of the Metrics v2 API.
Read entities entities.read Grants access to GET requests of the Monitored entities and Custom tags APIs.
Write entities entities.write Grants access to POST, PUT, and DELETE requests of the Monitored entities and Custom tags APIs.
Read problems problems.read Grants access to GET requests of the Problems API v2.
Write problems problems.write Grants access to POST, PUT, and DELETE requests of the Problems API v2.
Read network zones networkZones.read Grants access to GET requests of the Network zones API.
Write network zones networkZones.write Grants access to POST, PUT, and DELETE requests of the Network zones API.
Read ActiveGates activeGates.read Grants access to GET requests of the ActiveGates API.
Write ActiveGates activeGates.write Grants access to POST and DELETE requests of the ActiveGates API.
Read extensions extensions.read Grants access to GET requests from the Extensions section of the Extensions 2.0 API.
Write extensions extensions.write Grants access to POST and DELETE requests from the Extensions section of the Extensions 2.0 API.
Read extensions environment configuration extensionEnvironment.read Grants access to GET requests from the Extensions environment configuration section of the Extensions 2.0 API.
Write extensions environment configuration extensionEnvironment.write Grants access to POST, PUT, and DELETE requests from the Extensions environment configuration section of the Extensions 2.0 API.
Read extensions monitoring configuration extensionConfigurations.read Grants access to GET requests from the Extensions monitoring configuration section of the Extensions 2.0 API.
Write extensions monitoring configuration extensionConfigurations.write Grants access to POST, PUT, and DELETE requests from the Extensions monitoring configuration section of the Extensions 2.0 API.
Read security problems securityProblems.read Grants access to GET requests of the Security problems API.
Write security problems securityProblems.write Grants access to POST requests of the Security problems API.
Read synthetic locations syntheticLocations.read Grants access to GET requests of the Synthetic locations API v2 and Synthetic nodes API v2.
Write synthetic locations syntheticLocations.write Grants access to POST, PUT, and DELETE requests of the Synthetic locations API v2 and Synthetic nodes API v2.
Read settings settings.read Grants access to GET requests of the Settings API.
Write settings settings.write Grants access to POST and DELETE requests of the Settings API.
Tenant token rotation tenantTokenRotation.write Grants access to the Tenant tokens API.
Read SLO slo.read Grants access to GET requests of the Service level objectives API.
Write SLO slo.write Grants access to POST, PUT, and DELETE requests of the Service level objectives API.
Read API tokens apiTokens.read Grants access to GET requests of the API authentication tokens API.
Write API tokens apiTokens.write Grants access to POST, PUT, and DELETE requests of the API authentication tokens API.
Read releases releases.read Grants access to the Releases API.
Read audit logs auditLogs.read Grants access to the audit log.

API v1

Read credential vault entries credentialVault.read Grants access to GET requests of the Credential vault API.
Write credential vault entries credentialVault.write Grants access to POST, PUT, and DELETE requests of the Credential vault API.
Access problems and event feed, metrics, and topology DataExport Grants access to various calls of Environment API.
Create and read synthetic monitors, locations, and nodes ExternalSyntheticIntegration Grants access to the Synthetic API.
Read synthetic monitors, locations, and nodes ReadSyntheticData Grants access to GET requests of Synthetic API.
Read configuration ReadConfig Grants access to GET calls of Configuration API.
Write configuration WriteConfig Grants access to POST, PUT, and DELETE calls of Configuration API.
Change data privacy settings DataPrivacy Grants access to Data privacy API and data privacy calls of Web application configuration API.
User sessions DTAQLAccess Grants access to User sessions API.
Anonymize user sessions for data privacy reasons UserSessionAnonymization Grants access to Anonymization API.
Mobile symbolication file management DssFileManagement Grants access to Mobile symbolication API.
Real User Monitoring JavaScript tag management RumJavaScriptTagManagement Grants access to Real User Monitoring JavaScript API.
Token management TenantTokenManagement Allows to create and delete tokens as well as view their metadata via Tokens API.
ActiveGate certificate management ActiveGateCertManagement Allows to configure certificate on private ActiveGates.
Data ingest DataImport Allows to import data and events from external sources.
REST request forwarding RestRequestForwarding Allows to fetch data from remote Dynatrace environments for multi-environment dashboarding.
Capture request data CaptureRequestData Grants access to Request attributes API.
Read log content LogExport Grants access to Log Monitoring API.

PaaS token

Download OneAgent and ActiveGate installers InstallerDownload

Allows download of installers via Deployment API.

Part of PaaS token.

Create support alerts SupportAlert

Allows creation of support alerts for crash analysis.

Part of PaaS token.

Integrations

AppMon integration for hybrid deployments AppMonIntegration Allows import of monitoring data from AppMon.
Dynatrace NAM integration DcrumIntegration Integration with NAM.

Other

Upload plugins using the command line PluginUpload Allows to upload OneAgent extensions via command line tool.

Authenticate

You have two options to pass your API token: in the Authorization HTTP header or in the api-token query parameter.

We recommend that you use the Authorization header, as URLs (along with tokens passed within them) might be logged in various locations. Users might also bookmark the URLs or share them in plain text. Therefore, placing authentication tokens into the URL increases the risk that they will be captured by an attacker.

You can authenticate by attaching the token to the Authorization HTTP header preceding the Api-Token realm.

--header 'Authorization: Api-Token abcdefjhij1234567890'

The following example shows authentication via HTTP header.

curl --request GET \
  --url https://mySampleEnv.live.dynatrace.com/api/v1/config/clusterversion \
  --header 'Authorization: Api-Token abcdefjhij1234567890' \

Authentication in the API Explorer

Select the lock Lock icon next to any end point to display information about the API tokens that secure that endpoint. Each endpoint requires a specific token type.

You can also unlock all endpoints by selecting Authorize. In the displayed dialog, you can then see which token permissions are necessary for each API endpoint. By entering your API token into the global Available authorizations dialog, you can unlock all related API endpoints.