VOOZH about

URL: https://docs.datadoghq.com/account_management/personal-access-tokens/

⇱ Personal Access Tokens

For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/account_management/personal-access-tokens.md. A documentation index is available at /llms.txt.

Personal Access Tokens

Overview

Personal Access Tokens (PATs) are a credential type that authenticates Datadog API calls. Unlike application keys, PATs do not need to be paired with an API key. They are short-lived and scoped by default, giving you tighter control over what each token can access and how long it remains valid.

With PATs, you can:

  • Authenticate API calls with a single credential.
  • Enforce the principle of least privilege by selecting only the scopes your workflow needs.
  • Limit the blast radius of leaked credentials through mandatory time-to-live (TTL) values. Expired tokens are automatically revoked, so inactive credentials do not persist indefinitely.
  • Separate concerns by reserving API keys for telemetry submission (Agent, logs, metrics) and use PATs for all other web API calls.

PATs compared to other credential types

Personal Access TokensService Access TokensApplication keys
Standalone authenticationYes; no API key pairing neededYes; no API key pairing neededNo; requires an API key
Scoped by defaultYes; scopes are mandatoryYes; scopes are mandatoryOptional; unscoped by default
Time-to-live (TTL)Required (24 hours to one year)Optional; can be long-livedNo expiration
Identifiable prefixddpat_ddsat_ddapp_ (new)
Linked toIndividual userService accountIndividual user or service account

For Service Access Tokens, see Service Access Tokens.

Prerequisites

  • A Datadog user account with the user_app_keys permission
  • The org_app_keys_write permission if you want to manage PATs for other users in the organization

Create a Personal Access Token

  1. Navigate to Personal Settings > Access Tokens.
  2. Click + New Access Token.
  3. Enter a Name for the token.
  4. Select an Expiration Date. The minimum expiration is 24 hours and the maximum is one year from creation.
  5. Click Select Scopes to choose the scopes that define what this token can access. At least one scope is required. Grant only the permissions your workflow requires, then click Save.
Datadog displays the token secret only once at creation time. Copy and store it securely. You cannot retrieve it later.

Use a Personal Access Token

PATs support two authentication methods.

Authorization header (recommended)

Pass the PAT as a Bearer token in the Authorization header. This method does not require an API key:

curl -X GET "https://api.datadoghq.com/api/v2/users" \
 -H "Authorization: Bearer <YOUR_PAT>"

Application key header

Pass the PAT in the dd-application-key header. This is useful for migrating existing integrations that already use the application key header format:

curl -X GET "https://api.datadoghq.com/api/v2/users" \
 -H "dd-application-key: <YOUR_PAT>"

Note: When a valid PAT is provided in the dd-application-key header, Datadog authenticates with the PAT only. The dd-api-key header is optional and its value is not evaluated.

Manage Personal Access Tokens

View your tokens

Navigate to Personal Settings > Access Tokens to see all PATs associated with your account, including their names, scopes, expiration dates, and last usage information.

After creating a token, a details panel displays the token secret, name, Token ID, owner, scopes, and expiration date. From this panel, you can also edit or revoke the token.

Manage tokens as an administrator

Organization administrators with the org_app_keys_read and org_app_keys_write permissions can view and manage PATs for all users in the organization from Organization Settings > Access Tokens.

Revoke a token

  1. Navigate to Personal Settings > Access Tokens, or Organization Settings > Access Tokens for administrators.
  2. Mouse over the token you want to revoke and click the Revoke Token icon.

Revoked tokens can no longer authenticate API calls. Revocation takes effect within seconds.

Edit a token

You can update the name and scopes of an existing PAT. You cannot modify the TTL after creation. To change the TTL, revoke the existing token and create a token with the desired configuration.

Token format

PATs use an identifiable format that supports secret scanning and key management:

ddpat_<ALIAS>_<SECRET><CHECKSUM>
ComponentDescription
ddpat_Prefix identifying the credential as a Personal Access Token
<ALIAS>Base62-encoded token identifier, derived from the token UUID
<SECRET>32-byte randomly generated secret
<CHECKSUM>CRC32 checksum following the GitHub checksum standard

The identifiable prefix and checksum enable automated detection by secret scanning services, including GitHub secret scanning, Sensitive Data Scanner, and GitGuardian.

Permissions

PATs use the same permissions as application keys:

PermissionDescription
user_app_keysCreate and manage your own PATs
org_app_keys_readView PATs for all users in the organization
org_app_keys_writeCreate, edit, and revoke PATs for any user in the organization

For more information about permissions, see Role Based Access Control.

Audit Trail

If Audit Trail is enabled for your organization, Audit Trail records all PAT creation, usage, and revocation events. Audit Trail captures the authentication method and token metadata for each API call made with a PAT, giving administrators visibility into credential usage across the organization.

To review PAT activity, navigate to Security > Compliance > Audit Trail and filter by the Personal Access Token authentication method.

API reference

Manage PATs programmatically through the Datadog API:

OperationEndpoint
List PATs and SATsGET /api/v2/personal_access_tokens
Create a PATPOST /api/v2/personal_access_tokens
Get a specific PATGET /api/v2/personal_access_tokens/<PAT_ID>
Update a PATPATCH /api/v2/personal_access_tokens/<PAT_ID>
Revoke a PATDELETE /api/v2/personal_access_tokens/<PAT_ID>

The GET /api/v2/personal_access_tokens endpoint returns both PATs and SATs in a single call. To manage SATs, see Service Access Tokens.

For the full API reference, see Key Management.

Key propagation delay

PATs follow an eventual consistency model. After creation or revocation, changes may take a few seconds to propagate across all Datadog systems. Do not use a token immediately after creation in critical workflows. Implement a retry strategy with short exponential backoff to handle transient errors during the propagation window.