API keys are unique to your organization. An API key is required by the Datadog Agent to submit metrics and events to Datadog.
Application keys, in conjunction with your org’s API key, give you full access to Datadog’s programmatic API. Application keys are associated with the user account that created them and must be named. The application key is used to log all requests made to the API.
To manage your client tokens, go to your Datadog API configuration page in the
Client Tokens section as shown here:
Client tokens are unique to your organization. A client token is required by the web browser log collector to submit logs to Datadog, and is required by the Real User Monitoring to submit events and logs to Datadog.
To add a Datadog API key, application key, or client token, navigate to Integration -> APIs, enter a name for your key or token, and click Create API key or Create Application Key or Create Client Token.
To remove a Datadog API key or application key or client token, navigate to Integration -> APIs and select the Revoke button next to the key or token you want to remove:
Consider setting up multiple API keys for your organization. For example, use different API keys for each of your various deployment methods: one for deploying an Agent on Kubernetes in AWS, one for deploying it on prem with Chef, one for Terraform scripts that automate your dashboards or monitors, and one for developers deploying locally.
Using multiple API keys lets you rotate keys as part of your security practice, or revoke a specific key if it’s inadvertently exposed or if you want to stop using the service it’s associated with.
If your organization needs more than the built-in limit of five API keys, contact Support to ask about increasing your limit.
If a user’s account is disabled, any application keys that the user created are deleted. Any API keys that were created by the disabled account are not deleted, and are still valid.
Due to security reasons, Datadog does not transfer API/application keys from one user to another. The recommended best practice is to keep track of API/application keys and rotate those keys once a user has left the company. This way, a user that has left the company no longer has access to your account and Datadog’s API. Transferring the API/application key allows a user that no longer remains with the company to continue to send and receive data from the Datadog API. Customers have also asked to change the handle that the API/application keys are associated with. This, however, does not resolve the inherent issue: that a user that no longer remains with the company continues to have the ability to send and retrieve data from the Datadog API.
Alternatively, organizations have asked whether they can create a “service account” with which to own API/application keys. There are many cases where it makes sense to use a “service account” to own API keys. That being said, it is important that this is more than just a shared account that everyone has access to. If you plan on using a “service account”, it is important to secure storage of the service account credentials (such as using a password manager) as well as the principle of least privilege. To prevent the accidental leakage of service account credentials, there should only be a small number of people who have access—ideally, only those who truly need to be able to maintain the account.
Need help? Contact Datadog support.