Dynatrace API - Tokens and authentication
- Reference
- Published Aug 23, 2018
To be authenticated to use the Dynatrace API, you need a valid access token or a valid personal access token. Access to the API is fine-grained, meaning that you also need the proper scopes assigned to the token. See the description of each request to find out which scopes are required to use it.
For details on OAuth clients, see OAuth clients.
Token format
Dynatrace uses a unique token format consisting of three components separated by dots (.).
Token example
dt0s01.ST2EY72KQINMH574WMNVI7YN.G3DFPBEJYMODIDAEX454M7YWBUVEFOWKPRVMWFASS64NFH52PX6BNDVFFM572RZM
Token components
Token prefixes
Generate a token
To generate an access token:
- Go to
Access Tokens. - Select Generate new token.
- Enter a name for your token.
Dynatrace doesn't enforce unique token names. You can create multiple tokens with the same name. Be sure to provide a meaningful name for each token you generate. Proper naming helps you to efficiently manage your tokens and perhaps delete them when they're no longer needed. - Select the required scopes for the token.
- Select Generate token.
- Copy the generated token to the clipboard. Store the token in a password manager for future use.
You can only access your token once upon creation. You can't reveal it afterward.
You can assign multiple scopes to a single token, or you can generate several tokens, each with different access levels and use them accordingly—check your organization's security policies for the best practice.
To change the scope of an existing token, use the PUT a token call of the Access tokens API. Note that you need to submit the existing scopes if you want to keep them. Any existing scope missing in the payload is removed.
Alternatively, you can use the POST a token call to generate a token.
Token scopes
OpenPipeline
API v2
API v1
PaaS
Other
Authenticate
You have two options to pass your API token: in the Authorization HTTP header or in the api-token query parameter.
We recommend that you use the Authorization header, as URLs (along with tokens passed within them) might be logged in various locations. Users might also bookmark the URLs or share them in plain text. Therefore, placing authentication tokens into the URL increases the risk that they will be captured by an attacker.
You can authenticate by attaching the token to the Authorization HTTP header preceding the Api-Token realm.
--header 'Authorization: Api-Token dt0c01.abc123.abcdefjhij1234567890'
The following example shows authentication via HTTP header.
curl --request GET \--url https://mySampleEnv.live.dynatrace.com/api/v1/config/clusterversion \--header 'Authorization: Api-Token dt0c01.abc123.abcdefjhij1234567890'
Authentication in the API Explorer
Select the lock 
icon next to any end point to display information about the OAuth 2.0 tokens that secure that endpoint. Each endpoint requires a specific token type.
You can also unlock all endpoints by selecting Authorize. In the displayed dialog, you can then see which token permissions are necessary for each API endpoint. By entering your OAuth 2.0 token into the global Available authorizations dialog, you can unlock all related API endpoints.