Authentication in account management API
To be authenticated to use the Account management API, you need a valid bearer token. Access to the API is fine-grained, meaning that you also need the proper permissions assigned to the token. See the description of each request to find out which permission is required to use it. The bearer token authenticates you via an OAuth2 client as a service user who is granted access the to API.
To obtain a token, you must create an OAuth2 client and then request the token from it.
Create an OAuth2 client
- Open the User menu in the top right corner, and go to Account settings > Account management API.
- Select Create new client.
- Provide a description for the new client.
- Provide an email of the user who owns the client.
- Select the required scopes.
These are the scopes that the client will be able to grant. Specific tokens might have different scope sets.
- Select Generate client.
- Copy the generated information to the clipboard. Store it in a password manager for future use.
You can only access your client secret once upon creation. You can't reveal it afterwards.
|Allow read access for identity resources (users and groups)|
|Allow write access for identity resources (users and groups)|
|Allow read access for environment resources|
|Allow write access for environment resources|
|Allow read access for usage and consumption resources|
|Allow write access for usage and consumption resources|
|Allow IAM policy configuration for environments|
Request a token
After you create the OAuth2 client, request the bearer token from the Dynatrace SSO system via an API call.
Provide the following parameters in the request body. Be sure to URL-encode all values!
A list of required scopes separated by a whitespace, for example
You can assign multiple scopes to a single token, or you can generate several tokens, each with different access levels and use them accordingly—check your organization's security policies for the best practice.
The response of the request contains the bearer token.
To authenticate a call, attach the token to the Authorization HTTP header preceding the Bearer realm.
--header 'Authorization: Bearer abcdefjhij1234567890'
The following example shows the authentication.
curl --request GET \ --url https://api.dynatrace.com/iam/v1/accounts/2b794097-8ad2-4b32-b923-0131da2eeddf/users \ --header 'Authorization: Bearer abcdefjhij1234567890' \