Access tokens
All external access to your Dynatrace monitoring environment relies on two pieces of information: the environment ID and an access token.
Dynatrace uses several types of tokens:
- API tokens grant access to the Dynatrace API
- PaaS tokens allow download of OneAgent and ActiveGate installers
- Tenant tokens allow OneAgent to report data to Dynatrace
- Module tokens grant access to module integrations.
Dynatrace version 1.205+ Token format
Dynatrace uses a unique token format consisting of three components separated by dots (.).
dt0c01.ST2EY72KQINMH574WMNVI7YN.G3DFPBEJYMODIDAEX454M7YWBUVEFOWKPRVMWFASS64NFH52PX6BNDVFFM572RZM
dt0c01 |
Prefix to identify the token. |
ST2...7YN |
Public portion of token
A 24-character public identifier of the token. This value can be safely displayed in the UI and can be used for logging purposes. |
G3D...RZM |
Secret portion of token
A 64-character secret portion of the token, which can be treated like a password and therefore doesn’t need to be displayed in the Dynatrace web UI (following initial creation) or stored in log files. |
The predictable format gives you several advantages, such as:
- Using Git pre-commit hooks to avoid pushing tokens to source code repositories (for example, using tools like git-secrets)
- Defining masking rules to obfuscate the secret portions of tokens when writing log files
- Detecting tokens in internal files or communications
- Enabling the GitHub secret scanning service to identify any token pushed to a public GitHub repository
Use this regular expression to look for tokens:
dt0[a-zA-Z]{1}[0-9]{2}\.[A-Z0-9]{24}\.[A-Z0-9]{64}
Enable the new format
To enable the new token format
- SaaS and environment-wide Managed Go to Settings > Integration > Token settings.
- Managed cluster In the CMC web UI, go to Settings > API tokens.
With the rollout of Dynatrace version 1.210, this setting will be turned on by default (all newly generated tokens will use the new format). For a limited time, you'll have the option to opt out of using the new token format.
Enabling the new token format doesn't affect validity of any existing token.
API token
API tokens are used by Dynatrace API to authenticate various API calls. API tokens have fine-grained scopes to limit access to specific product functionality for security reasons.
Token scopes
Dynatrace provides the following permissions for API tokens. You can set them in the UI, as described above, or via Tokens API. Some scopes are only available via API.
| Name | API value | Description |
|---|---|---|
| Access problems and event feed, metrics, and topology | DataExport |
Grants access to various calls of Environment API. |
| ActiveGate certificate management | ActiveGateCertManagement |
Allows to configure certificate on private ActiveGates. |
| Anonymize user sessions for data privacy reasons | UserSessionAnonymization |
Grants access to Anonymization API. |
| AppMon integration for hybrid deployments | AppMonIntegration |
Allows to import monitoring data from AppMon. |
| Capture request data | CaptureRequestData |
Grants access to Request attributes API. |
| Change data privacy settings | DataPrivacy |
Grants access to Data privacy API and data privacy calls of Web application configuration API. |
| Create and read synthetic monitors, locations, and nodes | ExternalSyntheticIntegration |
Grants access to the Synthetic API. |
| Create support alerts | SupportAlert |
Allows creation of support alerts for crash analysis.
Part of PaaS token. |
| Davis Assistant integration | Davis |
Integration with Davis. |
| Download OneAgent and ActiveGate installers | InstallerDownload |
Allows to download installers via Deployment API.
Part of PaaS token. |
| Dynatrace NAM integration | DcrumIntegration |
Integration with NAM. |
| Import data and events from external sources | DataImport |
Allows to import data and events from external sources. |
| Log import | LogImport |
Allows to push data stream for storing without using OneAgent. |
| Mobile symbolication file management | DssFileManagement |
Grants access to Mobile Symbolication API. |
| Read audit logs | auditLogs.read |
Grants access to the audit log. |
| Read configuration | ReadConfig |
Grants access to GET calls of Configuration API. |
| Read log content | LogExport |
Grants access to Log Monitoring API. |
| Read synthetic monitors, locations, and nodes | ReadSyntheticData |
Grants access to GET requests of Synthetic API. |
| Real User Monitoring JavaScript tag management | RumJavaScriptTagManagement |
Grants access to Real User Monitoring JavaScript code API. |
| REST request forwarding | RestRequestForwarding |
Allows to fetch data from remote Dynatrace environments for multi-environment dashboarding. |
| Token management | TenantTokenManagement |
Allows to create and delete tokens as well as view their metadata via Tokens API. |
| User sessions | DTAQLAccess |
Grants access to User sessions API. |
| Write configuration | WriteConfig |
Grants access to POST, PUT, and DELETE calls of Configuration API. |
| Upload plugins using the command line | PluginUpload |
Allows to upload OneAgent extensions via command line tool. |
| Read entities using API V2 | entities.read |
Grants access to GET requests of the Monitored entities and Custom tags APIs. |
| Write entities using API V2 | entities.write |
Grants access to POST, PUT, and DELETE requests of the Monitored entities and Custom tags APIs. |
| Read network zones using API V2 | networkZones.read |
Grants access to GET requests of the Network zones API. |
| Write network zones using API V2 | networkZones.write |
Grants access to POST, PUT, and DELETE requests of the Network zones API. |
| Read Credential Vault entries | credentialVault.read |
Grants access to GET requests of the Credential vault API. |
| Write Credential Vault entries | credentialVault.write |
Grants access to POST, PUT, and DELETE requests of the Credential vault API. |
| Read metrics | metrics.read |
Grants access to GET requests of the Metrics API v2. |
| Ingest metrics | metrics.ingest |
Grants access to the POST ingest data points request of the Metrics v2 API. |
| Read ActiveGates | activeGates.read |
Grants access to GET requests of the ActiveGates API. |
| Write ActiveGates | activeGates.write |
Grants access to POST and DELETE requests of the ActiveGates API. |
| Read synthetic locations | syntheticLocations.read |
Grants access to GET requests of the Synthetic nodes API v2. |
| Write synthetic locations | syntheticLocations.write |
Grants access to POST, PUT, and DELETE requests of the Synthetic nodes API v2. |
| Read problems | problems.read |
Grants access to GET requests of the Problems API v2. |
| Write problems | problems.write |
Grants access to POST, PUT, and DELETE requests of the Problems API v2. |
Create an API token
To generate an API token
- Select Settings in the navigation menu.
- Go to Integration > Dynatrace API.
- Select Generate token.
- Enter a name for your token.
- Select the required permissions for the token.
- Select Generate.
You can assign multiple permissions to a single token, or you can generate several tokens, each with different access levels and use them accordingly—check your organization's security policies for the best practice.
Alternatively you can use the POST a new token API call to generate a token. Some tokens are only available via API.
Dynatrace doesn't enforce unique token names. You can create multiple tokens with the same name. Be sure to provide a meaningful name for each token you generate. Proper naming helps you to efficiently manage your tokens and perhaps delete them when they're no longer needed.
PaaS token
PaaS tokens are used to download OneAgent and ActiveGate installers. To generate a PaaS token
- Sign in using your Dynatrace account.
- Select Settings from the navigation menu.
- Select Integration > Platform as a Service.
- Select Generate token.
- Enter a meaningful name for your PaaS token. For instance, a meaningful token name might be the name of the PaaS platform you want to monitor (
azure,cloud-foundry,openshift, etc). - Select Generate to create the PaaS token. The newly created PaaS token is added to the Platform as a Service tokens.
The PaaS token is essentially an API token used in combination with your environment ID to download OneAgent.
- Select Copy to copy the generated token to the clipboard. Store the token in a password manager for future use.
For security reasons, revealing your PaaS token on request isn't going to be possible in the near future. You'll have only one chance to see and grab the generated PaaS token, and that is immediately after you generate it.
Alternatively you can use the POST a new token API call to generate a token with the InstallerDownload and SupportAlert permissions.
Tenant token
The tenant token is used by OneAgents to report data to Dynatrace.
Access a tenant token
To obtain a tenant token of your environment, execute the GET connectivity information for OneAgent request of the Deployment API. You will find the tenant token in the tenantToken field of the response body. You'll need your PaaS token to authenticate the request.
Module token
Module tokens are used by Dynatrace modules to report data to Dynatrace.
To generate a module token
- Select Settings in the navigation menu.
- Go to Integration > Dynatrace modules.
- Select Generate token for the module you need.
- Enter a name for your token.
- Select Generate
Alternatively you can use the POST a new token API call to generate a token with one of the following permissions:
AppMonIntegration—for AppMon integration.DcrumIntegration—for NAM integration.Davis—for Davis Assistant integration.