VOOZH about

URL: https://docs.datadoghq.com/account_management/service-access-tokens/

⇱ Service Access Tokens

For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/account_management/service-access-tokens.md. A documentation index is available at /llms.txt.

Service Access Tokens

Overview

Service Access Tokens (SATs) are credentials that authenticate Datadog API calls on behalf of a service account. Unlike Personal Access Tokens (PATs), SATs belong to a service account rather than an individual user — they remain valid when team members join or leave the organization.

With SATs, you can:

  • Authenticate automated workflows and scripts with credentials that remain valid after team members leave the organization.
  • Create long-lived tokens for stable integrations that do not require periodic rotation.
  • Scope tokens to the minimum permissions your workflow requires.
  • Attribute all API activity to the owning service account for clear audit accountability.

SATs compared to other credential types

Service Access TokensPersonal Access TokensApplication keys
Owned byService accountIndividual userIndividual user or service account
Time-to-live (TTL)Optional; 1 day, 1 month, 1 year, Never, or CustomRequired; 1 day to 1 yearNo expiration
Scoped by defaultYes; scopes are mandatoryYes; scopes are mandatoryOptional; unscoped by default
Standalone authenticationYes; no API key pairing neededYes; no API key pairing neededNo; requires an API key
Identifiable prefixddsat_ddpat_ddapp_ (new)
Visible inService account details, Organization Settings > Access TokensPersonal Settings > Access Tokens, Organization Settings > Access TokensPersonal Settings > Application Keys, Organization Settings > Application Keys

For Personal Access Tokens, see Personal Access Tokens.

Prerequisites

  • A Datadog service account. To create one, see Service Accounts.
  • The service_account_write permission to create SATs for a service account you manage.
  • The org_app_keys_write permission to manage SATs for any service account in the organization.

Create a Service Access Token

  1. Navigate to Organization Settings > Service Accounts and click a service account.
  2. In the details panel, under Access Tokens, click + New Token.
  3. Enter a Name for the token.
  4. Select an Expiration Date: 1 day, 1 month, 1 year, Never, or Custom. Select Never for a token with no expiration.
  5. Click Select Scopes to define what the token can access. Grant only the permissions your workflow requires, then click Save.
Datadog displays the token secret only once at creation time. Copy and store it securely. You cannot retrieve it later.

After you save, a details panel displays the token secret, name, Token ID, owner, owner roles, expiration date, and scopes.

Use a Service Access Token

SATs support two authentication methods.

Authorization header (recommended)

Pass the SAT as a Bearer token in the Authorization header. This method does not require an API key:

curl -X GET "https://api.datadoghq.com/api/v2/users" \
 -H "Authorization: Bearer <YOUR_SAT>"

Application key header

Pass the SAT in the dd-application-key header:

curl -X GET "https://api.datadoghq.com/api/v2/users" \
 -H "dd-application-key: <YOUR_SAT>"

Note: When a valid SAT is provided in the dd-application-key header, Datadog authenticates with the SAT only. The dd-api-key header is optional and its value is not evaluated.

Manage Service Access Tokens

View tokens

A service account’s tokens appear in the details panel under Organization Settings > Service Accounts.

Organization administrators with the org_app_keys_read permission can also view all SATs alongside Personal Access Tokens from Organization Settings > Access Tokens.

Revoke a token

  1. Navigate to Organization Settings > Service Accounts and click the service account.
  2. In the details panel, hover over the token and click Revoke.

Alternatively, revoke a SAT from Organization Settings > Access Tokens.

Revoked tokens can no longer authenticate API calls. Revocation takes effect within seconds.

Edit a token

You can update the name and scopes of an existing SAT. You cannot modify the expiration date after creation. To change the expiration, revoke the token and create a new one.

Permissions

PermissionDescription
service_account_writeCreate SATs for service accounts you manage
org_app_keys_readView SATs for all service accounts in the organization
org_app_keys_writeCreate, edit, and revoke SATs for any service account

For more information, see Role Based Access Control.

Audit Trail

If Audit Trail is enabled, it records all SAT creation, usage, and revocation events. Each API call authenticated with a SAT is attributed to the owning service account. This gives administrators visibility into automated credential usage across the organization.

To review SAT activity, navigate to Security > Compliance > Audit Trail and filter by the Service Access Token authentication method.

API reference

Manage SATs programmatically through the Datadog API:

OperationEndpoint
List SATsGET /api/v2/service_accounts/<SERVICE_ACCOUNT_ID>/access_tokens
Create a SATPOST /api/v2/service_accounts/<SERVICE_ACCOUNT_ID>/access_tokens
Get a specific SATGET /api/v2/service_accounts/<SERVICE_ACCOUNT_ID>/access_tokens/<TOKEN_ID>
Update a SATPATCH /api/v2/service_accounts/<SERVICE_ACCOUNT_ID>/access_tokens/<TOKEN_ID>
Revoke a SATDELETE /api/v2/service_accounts/<SERVICE_ACCOUNT_ID>/access_tokens/<TOKEN_ID>

To retrieve all PATs and SATs across users and service accounts in a single call, use the unified endpoint:

GET /api/v2/personal_access_tokens

Further reading