• Home
  • Manage
  • Access control
  • Access tokens

Access tokens

Dynatrace version 1.227+

This page describes the UI approach available starting with Dynatrace version 1.227. For procedure for an older version, see the legacy description. Alternatively, you can use the Tokens API v2.

All external access to your Dynatrace monitoring environment relies on two pieces of information: the environment ID and an access token.

Dynatrace uses several types of tokens:

  • Access tokens and personal access tokens grant access to:
    • Dynatrace API
    • Download of OneAgent and ActiveGate installers
    • Access to module integrations
  • Tenant tokens allow OneAgent to report data to Dynatrace

Token format

Dynatrace uses a unique token format consisting of three components separated by dots (.).

dt0c01.ST2EY72KQINMH574WMNVI7YN.G3DFPBEJYMODIDAEX454M7YWBUVEFOWKPRVMWFASS64NFH52PX6BNDVFFM572RZM

The part of a token composed of the prefix and public portion is a token identifier. For example dt0c01.ST2EY72KQINMH574WMNVI7YN. Token identifier can be safely displayed in the UI and can be used for logging purposes.

dt0c01

Prefix to identify the token type.

ST2...7YN

Public portion of token

A 24-character public identifier of the token.

G3D...RZM

Secret portion of token

A 64-character secret portion of the token, which can be treated like a password and therefore doesn’t need to be displayed in the Dynatrace web UI (following initial creation) or stored in log files.

The predictable format gives you several advantages, such as:

  • Using Git pre-commit hooks to avoid pushing tokens to source code repositories (for example, using tools like git-secrets)
  • Defining masking rules to obfuscate the secret portions of tokens when writing log files
  • Detecting tokens in internal files or communications
  • Enabling the GitHub secret scanning service to identify any token pushed to a public GitHub repository

Use this regular expression to look for tokens:

plaintext
dt0[a-zA-Z]{1}[0-9]{2}\.[A-Z0-9]{24}\.[A-Z0-9]{64}

With the rollout of Dynatrace version 1.210, this format is enabled by default (all newly generated tokens will use the new format).

All existing tokens of the old format remain valid.

Disable the new format

For a limited time, you have the option to opt out of using the new token format. You can find the setting here:

  • SaaS and environment-wide Managed Go to Settings > Integration > Token settings.
  • Managed cluster In the CMC web UI, go to Settings > API tokens.

Generate an access token

To generate an access token

  1. In the Dynatrace menu, select Access tokens.
  2. Select Generate new token.
  3. Enter a name for your token.
    Dynatrace doesn't enforce unique token names. You can create multiple tokens with the same name. Be sure to provide a meaningful name for each token you generate. Proper naming helps you to efficiently manage your tokens and perhaps delete them when they're no longer needed.
  4. Select the required scopes for the token.
  5. Select Generate.
  6. Copy the generated token to the clipboard. Store the token in a password manager for future use.

    You can only access your token once upon creation. You can't reveal it afterwards.

Token scopes

Access tokens have fine-grained scopes to limit access to specific product functionality for security reasons.

Dynatrace provides the following permissions for API tokens. You can set them in the web UI as described above or via the Access tokens API. Some scopes are only available via API.

NameAPI valueDescription

API v2

Read metrics

metrics.read

Grants access to GET requests of the Metrics API v2.

Write metrics

metrics.write

Grants access to the DELETE a custom metric request of the Metrics API v2.

Ingest metrics

metrics.ingest

Grants access to the POST ingest data points request of the Metrics v2 API as well as the OpenTelemetry metrics ingest API.

Read logs

logs.read

Grants access to the GET requests of the Log Monitoring API v2

Ingest logs

logs.ingest

Grants access to the POST ingest logs request of the Log Monitoring API v2.

Ingest OpenTelemetry traces

openTelemetryTrace.ingest

Allows to ingest OpenTelemetry traces.

Look up a single trace

traces.lookup

Checks for the presence of a trace in cross-environment tracing.

Read entities

entities.read

Grants access to GET requests of the Monitored entities and Custom tags APIs.

Write entities

entities.write

Grants access to POST, PUT, and DELETE requests of the Monitored entities and Custom tags APIs.

Read problems

problems.read

Grants access to GET requests of the Problems API v2.

Write problems

problems.write

Grants access to POST, PUT, and DELETE requests of the Problems API v2.

Read events

events.read

Grants access to GET requests of the Events API v2.

Ingest events

events.ingest

Grants access to POST request of the Events API v2.

Read network zones

networkZones.read

Grants access to GET requests of the Network zones API.

Write network zones

networkZones.write

Grants access to POST, PUT, and DELETE requests of the Network zones API.

Read ActiveGates

activeGates.read

Grants access to GET requests of the ActiveGates API.

Write ActiveGates

activeGates.write

Grants access to POST and DELETE requests of the ActiveGates API.

Read ActiveGate tokens

activeGateTokenManagement.read

Grants access to GET requests of the ActiveGate tokens API.

Create ActiveGate tokens

activeGateTokenManagement.create

Grants access to the POST request of the ActiveGate tokens API.

Write ActiveGate tokens

activeGateTokenManagement.write

Grants access to POST and DELETE requests of the ActiveGate tokens API.

Read extensions

extensions.read

Grants access to GET requests from the Extensions section of the Extensions 2.0 API.

Write extensions

extensions.write

Grants access to POST and DELETE requests from the Extensions section of the Extensions 2.0 API.

Read extensions environment configuration

extensionEnvironment.read

Grants access to GET requests from the Extensions environment configuration section of the Extensions 2.0 API.

Write extensions environment configuration

extensionEnvironment.write

Grants access to POST, PUT, and DELETE requests from the Extensions environment configuration section of the Extensions 2.0 API.

Read extensions monitoring configuration

extensionConfigurations.read

Grants access to GET requests from the Extensions monitoring configuration section of the Extensions 2.0 API.

Write extensions monitoring configuration

extensionConfigurations.write

Grants access to POST, PUT, and DELETE requests from the Extensions monitoring configuration section of the Extensions 2.0 API.

Read security problems

securityProblems.read

Grants access to GET requests of the Security problems API.

Write security problems

securityProblems.write

Grants access to POST requests of the Security problems API.

Read synthetic locations

syntheticLocations.read

Grants access to GET requests of the Synthetic locations API v2 and Synthetic nodes API v2.

Write synthetic locations

syntheticLocations.write

Grants access to POST, PUT, and DELETE requests of the Synthetic locations API v2 and Synthetic nodes API v2.

Read settings

settings.read

Grants access to GET requests of the Settings API.

Write settings

settings.write

Grants access to POST and DELETE requests of the Settings API.

Tenant token rotation

tenantTokenRotation.write

Grants access to the Tenant tokens API.

Read SLO

slo.read

Grants access to GET requests of the Service-level objectives API.

Write SLO

slo.write

Grants access to POST, PUT, and DELETE requests of the Service-level objectives API.

Read API tokens

apiTokens.read

Grants access to GET requests of the Access tokens API.

Write API tokens

apiTokens.write

Grants access to POST, PUT, and DELETE requests of the Access tokens API.

Read releases

releases.read

Grants access to the Releases API.

Read audit logs

auditLogs.read

Grants access to the audit log.

Read Geographic regions

geographicRegions.read

Grants access to the Geographic regions API.

Read synthetic monitor execution results

syntheticExecutions.read

Grants access to GET requests of the /synthetic/executions API.

Write synthetic monitor execution results

syntheticExecutions.write

Grants access to POST request of /synthetic/executions API.

Read credential vault entries

credentialVault.read

Grants access to GET requests of the Credential vault API.

Write credential vault entries

credentialVault.write

Grants access to POST, PUT, and DELETE requests of the Credential vault API.

API v1

Access problems and event feed, metrics, and topology

DataExport

Grants access to various calls of Environment API.

Create and read synthetic monitors, locations, and nodes

ExternalSyntheticIntegration

Grants access to the Synthetic API.

Read synthetic monitors, locations, and nodes

ReadSyntheticData

Grants access to GET requests of Synthetic API.

Read configuration

ReadConfig

Grants access to GET calls of Configuration API.

Write configuration

WriteConfig

Grants access to POST, PUT, and DELETE calls of Configuration API.

Change data privacy settings

DataPrivacy

Grants access to Data privacy API and data privacy calls of Web application configuration API.

User sessions

DTAQLAccess

Grants access to User sessions API.

Anonymize user sessions for data privacy reasons

UserSessionAnonymization

Grants access to Anonymization API.

Mobile symbol file management

DssFileManagement

Grants access to Mobile symbolication API.

Real User Monitoring JavaScript tag management

RumJavaScriptTagManagement

Grants access to Real User Monitoring JavaScript API.

ActiveGate certificate management

ActiveGateCertManagement

Allows to configure certificate on private ActiveGates.

Data ingest

DataImport

Allows to import data and events from external sources.

Fetch data from a remote environment

RestRequestForwarding

Allows to fetch data from remote Dynatrace environments for multi-environment dashboarding.

Capture request data

CaptureRequestData

Grants access to Request attributes API.

Read log content

LogExport

Grants access to Log Monitoring API.

RUM browser extension

RumBrowserExtension

Allows the RUM browser extension to send data to Dynatrace.

Read OneAgents

oneAgents.read

Grants access to GET requests of the OneAgents API.

Write OneAgents

oneAgents.write

Grants access to POST and DELETE requests of the OneAgents API.

PaaS

Download OneAgent and ActiveGate installers

InstallerDownload

Allows download of installers via Deployment API.

Create support alerts

SupportAlert

Allows creation of support alerts for crash analysis.

Other

Upload plugins using the command line

PluginUpload

Allows to upload OneAgent extensions via Extension SDK.

Related topics
  • Tokens API v1

    Learn how to manage Dynatrace API authentication tokens in your environment.