Access tokens
All external access to your Dynatrace monitoring environment relies on two pieces of information: the environment ID and an access token.
Dynatrace uses several types of tokens:
- API tokens and personal access tokens grant access to the Dynatrace API
- PaaS tokens allow download of OneAgent and ActiveGate installers
- Tenant tokens allow OneAgent to report data to Dynatrace
- Module tokens grant access to module integrations.
Token format
Dynatrace uses a unique token format consisting of three components separated by dots (.
).
Token example
dt0s01.ST2EY72KQINMH574WMNVI7YN.G3DFPBEJYMODIDAEX454M7YWBUVEFOWKPRVMWFASS64NFH52PX6BNDVFFM572RZM
Token components
Component name | Component description |
---|---|
prefix | The prefix identifies the token type. In our example: See Token prefixes below for a table of standard prefixes. |
public portion | The public portion of the token is a 24-character public identifier. In our example: |
The token identifier is the combination of the prefix and the public portion. A token identifier can be safely displayed in the UI and can be used for logging purposes. In our example: | |
secret portion | The secret portion of the token is a 64-character string that should be treated like a password:
In our example: |
Token prefixes
Prefix | Description |
---|---|
| This is an API token. It's used as an authorization method: a valid token allows the user to make changes within the Dynatrace account through SCIM.
|
| OAuth2 Clients created by users through Account Management to be used with Dynatrace Apps and Account Management API. |
| OAuth2 Clients for internal and external services and integrations. |
| Chat and identity linking. |
| This is an OAuth2 Refresh Token, which is used to retrieve a new Access Token and generally changes frequently (typically every 5 to 15 minutes). |
| OAuth2 Clients for internal and external services and integrations. |
| Chat and identity linking. |
The predictable format gives you several advantages, such as:
- Using Git pre-commit hooks to avoid pushing tokens to source code repositories (for example, using tools like git-secrets)
- Defining masking rules to obfuscate the secret portions of tokens when writing log files
- Detecting tokens in internal files or communications
- Enabling the GitHub secret scanning service to identify any token pushed to a public GitHub repository
Use this regular expression to look for tokens:
dt0[a-zA-Z]{1}[0-9]{2}\.[A-Z0-9]{24}\.[A-Z0-9]{64}
With the rollout of Dynatrace version 1.210, this format is enabled by default (all newly generated tokens will use the new format).
All existing tokens of the old format remain valid.
Disable the new format
For a limited time, you have the option to opt out of using the new token format. You can find the setting here:
- SaaS and environment-wide Managed Go to Settings > Integration > Token settings.
- Managed cluster In the CMC web UI, go to Settings > API tokens.
API token
API tokens are used by Dynatrace API to authenticate various API calls. API tokens have fine-grained scopes to limit access to specific product functionality for security reasons.
Token scopes
Create an API token
To generate an API token
- In the Dynatrace menu, go to Access tokens.
- Select Generate new token.
- Enter a name for your token.
- Find and select the required permissions for the token in the scopes list.
- Select Generate token.
- Select Copy to copy the generated token to the clipboard. Store the token in a password manager for future use.
You can assign multiple permissions to a single token, or you can generate several tokens, each with different access levels and use them accordingly—check your organization's security policies for the best practice.
Alternatively, you can use the POST a token call of the Access tokens API to generate a token.
Dynatrace doesn't enforce unique token names. You can create multiple tokens with the same name. Be sure to provide a meaningful name for each token you generate. Proper naming helps you to efficiently manage your tokens and perhaps delete them when they're no longer needed.
PaaS token
PaaS tokens are used to download OneAgent and ActiveGate installers. To generate a PaaS token
- In the Dynatrace menu, go to Access tokens.
- Select Generate new token.
- Enter a name for your token.
- Find and select the required permissions for the token in the scopes list.
- Select Generate token.
- Select Copy to copy the generated token to the clipboard. Store the token in a password manager for future use.
Alternatively, you can use the POST a new token API call to generate a token with the InstallerDownload
and SupportAlert
permissions.
Tenant token
The tenant token is used by OneAgents and ActiveGates to report data to Dynatrace. Dynatrace automatically generates the tenant token and adds it to OneAgent and ActiveGate installers on download.
Access a tenant token
To obtain a tenant token for your environment, execute the GET connectivity information for OneAgent request of the Deployment API. You will find the tenant token in the tenantToken
field of the response body. You'll need your PaaS token to authenticate the request.
Rotate tenant token
You can change the tenant token as needed (for example, to adhere to internal security policies or respond to unintended exposure). The procedure for changing the tenant token is called tenant token rotation. To learn how to rotate tenant tokens, see Tenant token.
Personal access token
All the above mentioned tokens require admin rights to generate. With personal access tokens, you can generate a token for API usage without admin rights. Available scopes are bound to your permissions, meaning that you can only use the API counterparts of features you're already authorized to use. You're also limited to the data from management zones you have access to.
A personal access token is bound to you. You can't generate a personal access token for another user.
Enable personal access tokens
Admin rights are required to enable this feature. After it's enabled, any user can generate a personal access token.
To enable personal access tokens
- In the Dynatrace menu, go to Settings and select Integration > Token settings.
- Turn on Enable personal access tokens.
Generate personal access tokens
To generate a personal access token
- Open the user menu in the upper-right corner of the Dynatrace web UI and select Personal access tokens.
- Select Generate new token.
- Enter a name for your token.
Dynatrace doesn't enforce unique token names. You can create multiple tokens with the same name. Be sure to provide a meaningful name for each token you generate. Proper naming helps you to efficiently manage your tokens and perhaps delete them when they're no longer needed. - Select the required scopes for the token.
- Select Generate token.
- Copy the generated token to the clipboard. Store the token in a password manager for future use.
You can only access your token once upon creation. You can't reveal it afterward.