Access tokens

All external access to your Dynatrace monitoring environment relies on two pieces of information: the environment ID and an access token.

Dynatrace uses several types of tokens:

• API tokens grant access to the Dynatrace API
• PaaS tokens allow download of OneAgent and ActiveGate installers
• Tenant tokens allow OneAgent to report data to Dynatrace
• Module tokens grant access to module integrations.

API token

API tokens are used by Dynatrace API to authenticate various API calls. API tokens have fine-grained scopes to limit access to specific product functionality for security reasons.

Token scopes

Dynatrace provides the following permissions for API tokens. You can set them in the UI, as described above, or via Tokens API. Some scopes are only available via API.

Name	API value	Description
Access problems and event feed, metrics, and topology	DataExport	Grants access to various calls of Environment API.
ActiveGate certificate management	ActiveGateCertManagement	Allows to configure certificate on private ActiveGates.
Anonymize user sessions for data privacy reasons	UserSessionAnonymization	Grants access to Anonymization API.
AppMon integration for hybrid deployments	AppMonIntegration	Allows to import monitoring data from AppMon.
Capture request data	CaptureRequestData	Grants access to Request attributes API.
Change data privacy settings	DataPrivacy	Grants access to Data privacy API and data privacy calls of Web application configuration API.
Create and read synthetic monitors, locations, and nodes	ExternalSyntheticIntegration	Grants access to the Synthetic API.
Create support alerts	SupportAlert	Allows creation of support alerts for crash analysis. Part of PaaS token.
Davis Assistant integration	Davis	Integration with Davis.
Download OneAgent and ActiveGate installers	InstallerDownload	Allows to download installers via Deployment API. Part of PaaS token.
Dynatrace NAM integration	DcrumIntegration	Integration with NAM.
Import data and events from external sources	DataImport	Allows to import data and events from external sources.
Log import	LogImport	Allows to push data stream for storing without using OneAgent.
Mobile symbolication file management	DssFileManagement	Grants access to Mobile Symbolication API.
Read audit logs	ReadAuditLogs	Grants access to the audit log.
Read configuration	ReadConfig	Grants access to GET calls of Configuration API.
Read log content	LogExport	Grants access to Log Monitoring API.
Read synthetic monitors, locations, and nodes	ReadSyntheticData	Grants access to GET requests of Synthetic API.
Real User Monitoring JavaScript tag management	RumJavaScriptTagManagement	Grants access to Real User Monitoring JavaScript code API.
REST request forwarding	RestRequestForwarding	Allows to fetch data from remote Dynatrace environments for multi-environment dashboarding.
Token management	TenantTokenManagement	Allows to create and delete tokens as well as view their metadata via Tokens API.
User sessions	DTAQLAccess	Grants access to User sessions API.
Write configuration	WriteConfig	Grants access to POST, PUT, and DELETE calls of Configuration API.
Upload plugins using the command line	PluginUpload	Allows to upload OneAgent extensions via command line tool.
Read entities using API V2	entities.read	Grants access to GET requests of the Monitored entities and Custom tags APIs.
Write entities using API V2	entities.write	Grants access to POST, PUT, and DELETE requests of the Monitored entities and Custom tags APIs.
Read network zones using API V2	networkZones.read	Grants access to GET requests of the Network zones API.
Write network zones using API V2	networkZones.write	Grants access to POST, PUT, and DELETE requests of the Network zones API.
Read Credential Vault entries	credentialVault.read	Grants access to GET requests of the Credential vault API.
Write Credential Vault entries	credentialVault.write	Grants access to POST, PUT, and DELETE requests of the Credential vault API.

Create an API token

To generate an API token

1. Select Settings in the navigation menu.
2. Go to Integration > Dynatrace API.
3. Select Generate token.
4. Enter a name for your token.
5. Select the required permissions for the token.
6. Select Generate.

You can assign multiple permissions to a single token, or you can generate several tokens, each with different access levels and use them accordingly—check your organization's security policies for the best practice.

Alternatively you can use the POST a new token API call to generate a token. Some tokens are only available via API.

Access existing API tokens

To view available API tokens

1. Select Settings in the navigation menu.
2. Go to Integration > Dynatrace API.
   The API tokens table contains the list of API tokens you own.

Alternatively you can use the GET all tokens API call to view all available tokens.

PaaS token

PaaS tokens are used to download OneAgent and ActiveGate installers.

Create a PaaS token

To generate a PaaS token

1. Sign in using your Dynatrace account.
2. Select Deploy Dynatrace from the left-hand menu.
3. Select Set up PaaS integration.
4. Your environment ID appears in the Environment ID text box. You'll need this ID to link your Dynatrace account with your PaaS environment. Select Copy to copy the ID to the clipboard. You can do this at any time by revisiting this page.
5. To generate a PaaS token, select Generate new token.
   The PaaS token is essentially an API token that's used in combination with your environment ID to download OneAgent. As you'll see, there's also a default InstallerDownload token available that you can alternatively use. However, for security reasons, it's recommended that you create several discrete tokens for each environment you have.
6. Enter a meaningful name for your PaaS token. A meaningful token name might be the name of the PaaS platform you want to monitor (for example, azure, cloud-foundry, or openshift).
7. Select Generate to create the PaaS token. The newly created PaaS token will appear in the list below. Select Copy to copy the generated token to the clipboard. You can do this at any time by revisiting this page and selecting Show token next to the relevant PaaS token.

Alternatively you can use the POST a new token API call to generate a token with the InstallerDownload and SupportAlert permissions.

Access existing PaaS tokens

To view available API tokens

1. Select Settings in the navigation menu.
2. Go to Integration > Platform as a Service.
   The Platform as a Service tokens table contains the list of tokens you own.

Alternatively you can use the GET all tokens API call with the permissions parameter set to InstallerDownload.

Tenant token

The tenant token is used by OneAgents to report data to Dynatrace.

Access a tenant token

To obtain a tenant token of your environment, execute the GET connectivity information for OneAgent request of the Deployment API. You will find the tenant token in the tenantToken field of the response body. You'll need your PaaS token to authenticate the request.

Module token

Module tokens are used by Dynatrace modules to report data to Dynatrace.

Create a module token

To generate a module token

1. Select Settings in the navigation menu.
2. Go to Integration > Dynatrace modules.
3. Select Generate token for the module you need.
4. Enter a name for your token.
5. Select Generate

Alternatively you can use the POST a new token API call to generate a token with one of the following permissions:

• AppMonIntegration—for AppMon integration.
• DcrumIntegration—for NAM integration.
• Davis—for Davis Assistant integration.

Access existing module tokens

1. Select Settings in the navigation menu.
2. Go to Integration > Dynatrace modules.
   The Dynatrace module tokens table contains the list of tokens you own.

Alternatively you can use GET all tokens API call with the permissions parameter set to one of the following:

• AppMonIntegration
• DcrumIntegration
• Davis