Dynatrace API - Tokens and authentication

To get authenticated to use the Dynatrace API, you need a valid API token. Access to the API is fine-grained, meaning that you also need the proper permissions assigned to the token. See the description of each request to find out which permissions are required to use it.

Generate a token

To generate an API token

  1. Select Settings in the navigation menu.
  2. Go to Integration > Dynatrace API.
  3. Select Generate token.
  4. Enter a name for your token.
  5. Select the required permissions for the token.
  6. Select Generate.

You can assign multiple permissions to a single token, or you can generate several tokens, each with different access levels and use them accordingly—check your organization's security policies for the best practice.

Alternatively you can use the POST a new token API call to generate a token. Some tokens are only available via API.

Dynatrace doesn't enforce unique token names. You can create multiple tokens with the same name. Be sure to provide a meaningful name for each token you generate. Proper naming helps you to efficiently manage your tokens and perhaps delete them when they're no longer needed.

Token permissions

Dynatrace provides the following permissions for API tokens. You can set them in the UI, as described above, or via Tokens API. Some scopes are only available via API.

Name API value Description
Access problems and event feed, metrics, and topology DataExport Grants access to various calls of Environment API.
ActiveGate certificate management ActiveGateCertManagement Allows to configure certificate on private ActiveGates.
Anonymize user sessions for data privacy reasons UserSessionAnonymization Grants access to Anonymization API.
AppMon integration for hybrid deployments AppMonIntegration Allows to import monitoring data from AppMon.
Capture request data CaptureRequestData Grants access to Request attributes API.
Change data privacy settings DataPrivacy Grants access to Data privacy API and data privacy calls of Web application configuration API.
Create and read synthetic monitors, locations, and nodes ExternalSyntheticIntegration Grants access to the Synthetic API.
Create support alerts SupportAlert Allows creation of support alerts for crash analysis.

Part of PaaS token.
Davis Assistant integration Davis Integration with Davis.
Download OneAgent and ActiveGate installers InstallerDownload Allows to download installers via Deployment API.

Part of PaaS token.
Dynatrace NAM integration DcrumIntegration Integration with NAM.
Import data and events from external sources DataImport Allows to import data and events from external sources.
Log import LogImport Allows to push data stream for storing without using OneAgent.
Mobile symbolication file management DssFileManagement Grants access to Mobile Symbolication API.
Read audit logs ReadAuditLogs Grants access to the audit log.
Read configuration ReadConfig Grants access to GET calls of Configuration API.
Read log content LogExport Grants access to Log Monitoring API.
Read synthetic monitors, locations, and nodes ReadSyntheticData Grants access to GET requests of Synthetic API.
Real User Monitoring JavaScript tag management RumJavaScriptTagManagement Grants access to Real User Monitoring JavaScript code API.
REST request forwarding RestRequestForwarding Allows to fetch data from remote Dynatrace environments for multi-environment dashboarding.
Token management TenantTokenManagement Allows to create and delete tokens as well as view their metadata via Tokens API.
User sessions DTAQLAccess Grants access to User sessions API.
Write configuration WriteConfig Grants access to POST, PUT, and DELETE calls of Configuration API.
Upload plugins using the command line PluginUpload Allows to upload OneAgent extensions via command line tool.
Read entities using API V2 entities.read Grants access to GET requests of the Monitored entities and Custom tags APIs.
Write entities using API V2 entities.write Grants access to POST, PUT, and DELETE requests of the Monitored entities and Custom tags APIs.
Read network zones using API V2 networkZones.read Grants access to GET requests of the Network zones API.
Write network zones using API V2 networkZones.write Grants access to POST, PUT, and DELETE requests of the Network zones API.
Read Credential Vault entries credentialVault.read Grants access to GET requests of the Credential vault API.
Write Credential Vault entries credentialVault.write Grants access to POST, PUT, and DELETE requests of the Credential vault API.


You can authenticate by attaching the token to the Authorization HTTP header preceding the Api-Token realm.

--header 'Authorization: Api-Token abcdefjhij1234567890'

The following example shows authentication via HTTP header.

curl --request GET \
  --url https://mySampleEnv.live.dynatrace.com/api/v1/config/clusterversion \
  --header 'Authorization: Api-Token abcdefjhij1234567890' \

Authentication in the API Explorer

Select the lock Lock icon next to any end point to display information about the API tokens that secure that endpoint. Each endpoint requires a specific token type.

You can also unlock all endpoints by selecting Authorize. In the displayed dialog, you can then see which token permissions are necessary for each API endpoint. By entering your API token into the global Available authorizations dialog, you can unlock all related API endpoints.