OAuth clients

  • Reference
  • 2-min read

OAuth clients provide client credentials according to the OAuth standard. Credentials are managed by Dynatrace administrators and are used to automate account management.

Create an OAuth2 client

  1. Go to Account Management. If you have more than one account, select the account you want to manage.
  2. On the top navigation bar, go to Identity & access management > OAuth clients.
  3. Select Create client.
  4. Provide an email of the user who owns the client.
  5. Provide a description for the new client.
  6. Select the required permissions.
    These are the scopes that the client will be able to grant. Tokens generated by the client might have different scope sets.
  7. Select Create client.
  8. Copy the generated information to the clipboard. Store it in a password manager for future use.

    You can only access your client secret once upon creation. You can't reveal it afterward.

Request a token

After you create the OAuth2 client, request the bearer token from the Dynatrace SSO system via an API call.

POST

https://sso.dynatrace.com/sso/oauth2/token

Content type

application/x-www-form-urlencoded

Provide the following parameters in the request body. Be sure to URL-encode all values!

Parameter

Value

grant_type

client_credentials

client_id

{your-Client-ID}

client_secret

{your-Client-secret}

scope

A list of required scopes separated by a whitespace, for example account-uac-read account-uac-write.

You can assign multiple scopes to a single token, or you can generate several tokens, each with different access levels and use them accordingly—check your organization's security policies for the best practice.

resource

urn:dtaccount:{your-account-UUID}

Response

In this example, the response of the request contains the bearer token, which you need to pass to the API call.

{
  "token_type": "Bearer",
  "resource": "urn:dtaccount:{dynatrace-account-urn}",
  "access_token": "{your-bearer-token}",
  "expires_in": 300,
  "scope": "app-engine:apps:run storage:buckets:read storage:logs:read"
}

Parameter

Value

token_type

Required The type of token issued. Typically, the string Bearer.

resource

Required Specifies the target resource or account context for which the token is valid.

access_token

Required The actual token used to authenticate API requests, issued by the authorization server.

expires_in

Recommended Specifies the token's lifetime in seconds.

scope

Optional Defines the permissions granted to the access token.

Authenticate

To authenticate a call, attach the token to the Authorization HTTP header preceding the Bearer realm.

--header 'Authorization: Bearer abcdefjhij1234567890'

The following example shows the authentication.

curl --request GET \
  --url https://api.dynatrace.com/env/v1/accounts/{accountUuid}/environments \
  --header 'Authorization: Bearer abcdefjhij1234567890' \
Related tags
Dynatrace Platform