Tenant tokens API - POST finish rotation

Completes the rotation of the tenant token. The old token becomes invalid. Execute the request only when you have updated all OneAgents and ActiveGates as described in Rotate tenant token.

To avoid data loss, both old and new tokens are valid during the rotation process.

The request produces an application/json payload.

  • Managed https://{your-domain}/e/{your-environment-id}/api/v2/tenantTokenRotation/finish
  • SaaS https://{your-environment-id}.live.dynatrace.com/api/v2/tenantTokenRotation/finish
  • Environment ActiveGate https://{your-activegate-domain}/e/{your-environment-id}/api/v2/tenantTokenRotation/finish


To execute this request, you need the Tenant token rotation (tenantTokenRotation.write) permission assigned to your API token. To learn how to obtain and use it, see Tokens and authentication.


The request doesn't provide any configurable parameters.


Response codes

Code Description

Success. The rotation process is completed. The active field of the response contains the new tenant token.


No ongoing rotation process.

Response body

The TenantTokenConfig object

Configuration of a tenant token.

Element Type Description
old TenantToken
active TenantToken

The TenantToken object

Tenant token

Element Type Description
value string

The secret of the tenant token.


In this example, the request completes the rotation process started in start request example.

The response code of 200 indicates a successful request. The old token 1234567890qrstuvwxyz is no longer valid.

The API token is passed in the Authorization header.


curl -X POST \
  https://mySampleEnv.live.dynatrace.com/api/v2/tenantTokenRotation/finish \
  -H 'Authorization: Api-Token dt0c01.abc123.abcdefjhij1234567890' \  
  -H 'Accept: application/json'

Response body

  "active": {
    "value": "zyxwvutsrq0987654321"
  "old": {
    "value": "1234567890qrstuvwxyz"

Response code