Access tokens classic
- Reference
- 2-min read
This article discusses access tokens used in previous Dynatrace to authenticate to classic Configuration and Environment APIs. For the latest Dynatrace access, see Platform tokens and OAuth clients.
All external access to your Dynatrace monitoring environment relies on two pieces of information: the environment ID and an access token.
Dynatrace uses several types of tokens:
- Access tokens and personal access tokens grant access to:
- Dynatrace API
- Download of OneAgent and ActiveGate installers
- Personal access tokens grant access to some endpoints of Dynatrace API
- Tenant tokens allow OneAgent to report data to Dynatrace
Token format
Dynatrace uses a unique token format consisting of three components separated by dots (.).
Token example
dt0s01.ST2EY72KQINMH574WMNVI7YN.G3DFPBEJYMODIDAEX454M7YWBUVEFOWKPRVMWFASS64NFH52PX6BNDVFFM572RZM
Token components
Component name
Component description
prefix
The prefix identifies the token type.
In our example: dt0s01
See Token prefixes below for a table of standard prefixes.
public portion
The public portion of the token is a 24-character public identifier.
In our example: ST2EY72KQINMH574WMNVI7YN
token identifier
The token identifier is the combination of the prefix and the public portion. A token identifier can be safely displayed in the UI and can be used for logging purposes.
In our example: dt0s01.ST2EY72KQINMH574WMNVI7YN
secret portion
The secret portion of the token is a 64-character string that should be treated like a password:
- Don't display it
- Don't store it in log files
- Rotate it instantly if it's leaked
In our example: G3DFPBEJYMODIDAEX454M7YWBUVEFOWKPRVMWFASS64NFH52PX6BNDVFFM572RZM
Token prefixes
Prefix
Description
dt0s01
This is an API token. It's used as an authorization method: a valid token allows the user to make changes within the Dynatrace account through SCIM.
- It is generated once.
- Do not reveal the secret portion of a
dt0s01token. - The public portion is used for identification in the web UI, but you generally should not reveal it (or any portion of this token).
- This token remains in effect until invalidated by the customer, so you must rotate it instantly if it is ever leaked.
dt0s02
OAuth2 Clients created by users through Account Management to be used with Dynatrace Apps and Account Management API.
dt0s03
OAuth2 Clients for internal and external services and integrations.
dt0s04
Chat and identity linking.
dt0s06
This is an OAuth2 Refresh Token, which is used to retrieve a new Access Token and generally changes frequently (typically every 5 to 15 minutes).
dt0s08
OAuth2 Clients for internal and external services and integrations.
dt0s09
Chat and identity linking.
dt0s16
Platform Token enabling programmatic access to Dynatrace platform services.
This predictable format offers you several capabilities:
- Use Git pre-commit hooks to avoid pushing tokens to source code repositories (for example, using tools like git-secrets)
- Define masking rules to obfuscate the secret portions of tokens when writing log files
- Detect tokens in internal files or communications
- Enable the GitHub secret scanning service to identify any token pushed to a public GitHub repository
Use this regular expression to look for tokens:
dt0[a-zA-Z]{1}[0-9]{2}\.[A-Z0-9]{24}\.[A-Z0-9]{64}
With the rollout of Dynatrace version 1.210, this format is enabled by default (all newly generated tokens will use the new format).
All existing tokens of the old format remain valid.
Disable the new format
For a limited time, you can opt out of using the new token format:
-
Go to Settings > Integration > Token settings.
-
Turn off Create Dynatrace API tokens in the new format.
Generate an access token
To generate an access token:
- Go to
Access Tokens. - Select Generate new token.
- Enter a name for your token.
Dynatrace doesn't enforce unique token names. You can create multiple tokens with the same name. Be sure to provide a meaningful name for each token you generate. Proper naming helps you to efficiently manage your tokens and perhaps delete them when they're no longer needed. - Select the required scopes for the token.
- Select Generate token.
- Copy the generated token to the clipboard. Store the token in a password manager for future use.
You can only access your token once upon creation. You can't reveal it afterward.
Token scopes
Access tokens have fine-grained scopes to limit access to specific product functionality for security reasons.
Name
API value
Description
OpenPipeline
OpenPipeline
OpenPipeline
OpenPipeline - Ingest Events
openpipeline.events
Grants access to POST Built-in generic events request of the OpenPipeline Ingest API.
OpenPipeline - Ingest Events, Software Development Lifecycle
openpipeline.events_sdlc
Grants access to POST Built-in SLDC events request of the OpenPipeline Ingest API.
OpenPipeline - Ingest Events, Software Development Lifecycle (Custom)
openpipeline.events_sdlc.custom
Grants access to POST Custom SLDC events request of the OpenPipeline Ingest API.
OpenPipeline - Ingest Security Events (Built-in)
openpipeline.events_security
Grants access to POST Built-in security events request of the OpenPipeline Ingest API.
OpenPipeline - Ingest Security Events (Custom)
openpipeline.events_security.custom
Grants access to POST Custom security events request of the OpenPipeline Ingest API.
OpenPipeline - Ingest Events (Custom)
openpipeline.events.custom
Grants access to POST Custom generic event endpoint request of the OpenPipeline Ingest API.
API v2
API v2
API v2
Create ActiveGate tokens
activeGateTokenManagement.create
Grants access to the POST request of the ActiveGate tokens API.
Read ActiveGate tokens
activeGateTokenManagement.read
Grants access to GET requests of the ActiveGate tokens API.
Write ActiveGate tokens
activeGateTokenManagement.write
Grants access to POST and DELETE requests of the ActiveGate tokens API.
Write API tokens
apiTokens.write
Grants access to POST, PUT, and DELETE requests of the Access tokens API.
Read attacks
attacks.read
Grants access to GET requests of the Attacks API and the Settings API for Application Protection (builtin:appsec.attack-protection-settings, builtin:appsec.attack-protection-advanced-config, and builtin:appsec.attack-protection-allowlist-config schemas).
Write Application Protection settings
attacks.write
Grants access to POST, PUT, and DELETE requests of the Settings API for Application Protection (builtin:appsec.attack-protection-settings, builtin:appsec.attack-protection-advanced-config, and builtin:appsec.attack-protection-allowlist-config schemas).
Read credential vault entries
credentialVault.read
Grants access to GET requests of the Credential vault API.
Write credential vault entries
credentialVault.write
Grants access to POST, PUT, and DELETE requests of the Credential vault API.
Read entities
entities.read
Grants access to GET requests of the Monitored entities and Custom tags APIs.
Write entities
entities.write
Grants access to POST, PUT, and DELETE requests of the Monitored entities and Custom tags APIs.
Read extensions monitoring configuration
extensionConfigurations.read
Grants access to GET requests from the Extensions monitoring configuration section of the Extensions 2.0 API.
Write extensions monitoring configuration
extensionConfigurations.write
Grants access to POST, PUT, and DELETE requests from the Extensions monitoring configuration section of the Extensions 2.0 API.
Read extensions environment configuration
extensionEnvironment.read
Grants access to GET requests from the Extensions environment configuration section of the Extensions 2.0 API.
Write extensions environment configuration
extensionEnvironment.write
Grants access to POST, PUT, and DELETE requests from the Extensions environment configuration section of the Extensions 2.0 API.
Read extensions
extensions.read
Grants access to GET requests from the Extensions section of the Extensions 2.0 API.
Write extensions
extensions.write
Grants access to POST, PUT, and DELETE requests from the Extensions section of the Extensions 2.0 API.
Install and update Hub items
hub.install
Grants permission to install and update extensions via the Hub items API.
Manage metadata of Hub items
hub.write
Grants permission to manage metadata of Hub items via the Hub items API.
Read JavaScript mapping files
javaScriptMappingFiles.read
Write JavaScript mapping files
javaScriptMappingFiles.write
Ingest logs
logs.ingest
Grants access to the POST ingest logs request of the Log Monitoring API v2 as well as the OpenTelemetry log ingest API.
Ingest metrics
metrics.ingest
Grants access to the POST ingest data points request of the Metrics v2 API as well as the OpenTelemetry metrics ingest API.
Write metrics
metrics.write
Grants access to the DELETE a custom metric request of the Metrics API v2.
Write network zones
networkZones.write
Grants access to POST, PUT, and DELETE requests of the Network zones API.
Ingest OpenTelemetry traces
openTelemetryTrace.ingest
Grants permission to ingest OpenTelemetry traces.
Read security problems
securityProblems.read
Grants access to GET requests of the Security problems API.
Write security problems
securityProblems.write
Grants access to POST requests of the Security problems API.
Write SLO
slo.write
Grants access to POST, PUT, and DELETE requests of the Service-level objectives API.
Read synthetic monitor execution results
syntheticExecutions.read
Grants access to GET requests of the /synthetic/executions API.
Write synthetic monitor execution results
syntheticExecutions.write
Grants access to POST request of /synthetic/executions API.
Read synthetic locations
syntheticLocations.read
Grants access to GET requests of the Synthetic locations API v2 and Synthetic nodes API v2.
Write synthetic locations
syntheticLocations.write
Grants access to POST, PUT, and DELETE requests of the Synthetic locations API v2 and Synthetic nodes API v2.
Look up a single trace
traces.lookup
Checks for the presence of a trace in cross-environment tracing.
Read Unified Analysis page
unifiedAnalysis.read
Grants access to the Unified analysis schema in the Settings API.
API v1
API v1
API v1
Access problems and event feed, metrics, and topology
DataExport
Grants access to various calls of Environment API.
Create and read synthetic monitors, locations, and nodes
ExternalSyntheticIntegration
Grants access to the Synthetic API.
Read synthetic monitors, locations, and nodes
ReadSyntheticData
Grants access to GET requests of Synthetic API.
Change data privacy settings
DataPrivacy
Grants access to Data privacy API and data privacy calls of Web application configuration API.
Anonymize user sessions for data privacy reasons
UserSessionAnonymization
Grants access to Anonymization API.
Real User Monitoring JavaScript tag management
RumJavaScriptTagManagement
Grants access to Real User Monitoring JavaScript API.
ActiveGate certificate management
ActiveGateCertManagement
Grants permission to configure certificate on private ActiveGates.
Fetch data from a remote environment
RestRequestForwarding
Grants permission to fetch data from remote Dynatrace environments for multi-environment dashboarding.
PaaS
PaaS
PaaS
Download OneAgent and ActiveGate installers
InstallerDownload
Allows download of installers via Deployment API.
Other
Other
Other
Upload plugins using the command line
PluginUpload
Grants permission to upload OneAgent extensions via Extension SDK.