API keys are unique to your organization. An API key is required by the Datadog Agent to submit metrics and events to Datadog.
Application keys, in conjunction with your org’s API key, give users access to Datadog’s programmatic API. Application keys are associated with the user account that created them and have the permissions and capabilities of the user who created them.
To manage your client tokens, go to your Datadog API configuration page in the
Client Tokens section as shown here:
Client tokens are unique to your organization. A client token is required by the web browser log collector to submit logs to Datadog, and is required by the Real User Monitoring to submit events and logs to Datadog.
To add a Datadog API key or client token, navigate to Integration -> APIs, enter a name for your key or token, and click Create API key or Create Client Token.
To remove a Datadog API key or client token, navigate to Integration -> APIs and click Revoke next to the key or token you want to remove:
To remove a Datadog application key, navigate to Teams -> Application Keys. If you have the permission to create and manage application keys, you can see your own keys and click Revoke next to the key you want to revoke. If you have the permission to manage all org application keys, you can search for the key you want to revoke and then click Revoke next to it:
Consider setting up multiple API keys for your organization. For example, use different API keys for each of your various deployment methods: one for deploying an Agent on Kubernetes in AWS, one for deploying it on prem with Chef, one for Terraform scripts that automate your dashboards or monitors, and one for developers deploying locally.
Using multiple API keys lets you rotate keys as part of your security practice, or revoke a specific key if it’s inadvertently exposed or if you want to stop using the service it’s associated with.
If your organization needs more than the built-in limit of five API keys, contact Support to ask about increasing your limit.
If a user’s account is disabled, any application keys that the user created are deleted. Any API keys that were created by the disabled account are not deleted, and are still valid.
Due to security reasons, Datadog does not transfer API/application keys from one user to another. The recommended best practice is to keep track of API/application keys and rotate those keys once a user has left the company. This way, a user that has left the company no longer has access to your account and Datadog’s API. Transferring the API/application key allows a user that no longer remains with the company to continue to send and receive data from the Datadog API. Customers have also asked to change the handle that the API/application keys are associated with. This, however, does not resolve the inherent issue: that a user that no longer remains with the company continues to have the ability to send and retrieve data from the Datadog API.
Alternatively, organizations have asked whether they can create a “service account” with which to own API/application keys. There are many cases where it makes sense to use a “service account” to own API keys. That being said, it is important that this is more than just a shared account that everyone has access to. If you plan on using a “service account”, it is important to secure storage of the service account credentials (such as using a password manager) as well as the principle of least privilege. To prevent the accidental leakage of service account credentials, there should only be a small number of people who have access—ideally, only those who truly need to be able to maintain the account.
Need help? Contact Datadog support.