---
title: Personal Access Tokens
description: >-
  Create and manage short-lived, scoped Personal Access Tokens to authenticate
  Datadog API calls without pairing API and application keys.
breadcrumbs: Docs > Account Management > Personal Access Tokens
---

# Personal Access Tokens

{% callout %}
##### Join the Preview!

Personal Access Tokens are in Preview.
{% /callout %}

## Overview{% #overview %}

Personal Access Tokens (PATs) are a credential type that authenticates Datadog API calls. Unlike application keys, PATs do not need to be paired with an API key. They are short-lived and scoped by default, giving you tighter control over what each token can access and how long it remains valid.

With PATs, you can:

- Authenticate API calls with a single credential.
- Enforce the principle of least privilege by selecting only the scopes your workflow needs.
- Limit the blast radius of leaked credentials through mandatory time-to-live (TTL) values. Expired tokens are automatically revoked, so inactive credentials do not persist indefinitely.
- Separate concerns by reserving API keys for telemetry submission (Agent, logs, metrics) and use PATs for all other web API calls.

### PATs compared to application keys{% #pats-compared-to-application-keys %}

| Personal Access Tokens    | Application keys                |
| ------------------------- | ------------------------------- |
| Standalone authentication | Yes; no API key pairing needed  | No; requires an API key       |
| Scoped by default         | Yes; scopes are mandatory       | Optional; unscoped by default |
| Time-to-live (TTL)        | Required (24 hours to one year) | No expiration                 |
| Identifiable prefix       | Yes; `ddpat_`                   | Yes; `ddap_` (new)            |
| Linked to                 | Individual user                 | Individual user               |

## Prerequisites{% #prerequisites %}

- A Datadog user account with the `user_app_keys` permission
- The `org_app_keys_write` permission if you want to manage PATs for other users in the organization

## Create a Personal Access Token{% #create-a-personal-access-token %}

1. Navigate to [**Personal Settings** > **Access Tokens**](https://app.datadoghq.com/personal-settings/access-tokens).
1. Click + New Access Token.
1. Enter a Name for the token.
1. Select an Expiration Date. The minimum expiration is 24 hours and the maximum is one year from creation.
1. Click Select Scopes to choose the scopes that define what this token can access. At least one scope is required. Grant only the permissions your workflow requires, then click Save.

{% alert level="warning" %}
Datadog displays the token secret only once at creation time. Copy and store it securely. You cannot retrieve it later.
{% /alert %}

## Use a Personal Access Token{% #use-a-personal-access-token %}

PATs support two authentication methods.

### Authorization header (recommended){% #authorization-header-recommended %}

Pass the PAT as a Bearer token in the `Authorization` header. This method does not require an API key:

```bash
curl -X GET "https://api.datadoghq.com/api/v2/users" \
  -H "Authorization: Bearer <YOUR_PAT>"
```

### Application key header{% #application-key-header %}

Pass the PAT in the `dd-application-key` header. This is useful for migrating existing integrations that already use the application key header format:

```bash
curl -X GET "https://api.datadoghq.com/api/v2/users" \
  -H "dd-application-key: <YOUR_PAT>"
```

**Note:** When a valid PAT is provided in the `dd-application-key` header, Datadog authenticates with the PAT only. The `dd-api-key` header is optional and its value is not evaluated.

## Manage Personal Access Tokens{% #manage-personal-access-tokens %}

### View your tokens{% #view-your-tokens %}

Navigate to [**Personal Settings** > **Access Tokens**](https://app.datadoghq.com/personal-settings/access-tokens) to see all PATs associated with your account, including their names, scopes, expiration dates, and last usage information.

After creating a token, a details panel displays the token secret, name, Token ID, owner, scopes, and expiration date. From this panel, you can also edit or revoke the token.

{% image
   source="https://docs.dd-static.net/images/account_management/personal-access-tokens/pat-details.c8ae5922e9852481f5068d51ab8e9659.png?auto=format&fit=max&w=850 1x, https://docs.dd-static.net/images/account_management/personal-access-tokens/pat-details.c8ae5922e9852481f5068d51ab8e9659.png?auto=format&fit=max&w=850&dpr=2 2x"
   alt="Personal Access Token details showing the token secret, name, Token ID, owner, scopes, and expiration" /%}

### Manage tokens as an administrator{% #manage-tokens-as-an-administrator %}

Organization administrators with the `org_app_keys_read` and `org_app_keys_write` permissions can view and manage PATs for all users in the organization from [**Organization Settings** > **Access Tokens**](https://app.datadoghq.com/organization-settings/access-tokens).

{% image
   source="https://docs.dd-static.net/images/account_management/personal-access-tokens/pat-admin.f1146565809f9e6a2807ad79b6fd34b8.png?auto=format&fit=max&w=850 1x, https://docs.dd-static.net/images/account_management/personal-access-tokens/pat-admin.f1146565809f9e6a2807ad79b6fd34b8.png?auto=format&fit=max&w=850&dpr=2 2x"
   alt="Organization administrators can view and manage all PATs from Organization Settings" /%}

### Revoke a token{% #revoke-a-token %}

1. Navigate to [**Personal Settings** > **Access Tokens**](https://app.datadoghq.com/personal-settings/access-tokens), or [**Organization Settings** > **Access Tokens**](https://app.datadoghq.com/organization-settings/access-tokens) for administrators.
1. Mouse over the token you want to revoke and click the Revoke Token icon.

Revoked tokens can no longer authenticate API calls. Revocation takes effect within seconds.

### Edit a token{% #edit-a-token %}

You can update the name and scopes of an existing PAT. You cannot modify the TTL after creation. To change the TTL, revoke the existing token and create a token with the desired configuration.

## Token format{% #token-format %}

PATs use an identifiable format that supports secret scanning and key management:

```
ddpat_<ALIAS>_<SECRET><CHECKSUM>
```

| Component    | Description                                                  |
| ------------ | ------------------------------------------------------------ |
| `ddpat_`     | Prefix identifying the credential as a Personal Access Token |
| `<ALIAS>`    | Base62-encoded token identifier, derived from the token UUID |
| `<SECRET>`   | 32-byte randomly generated secret                            |
| `<CHECKSUM>` | CRC32 checksum following the GitHub checksum standard        |

The identifiable prefix and checksum enable automated detection by secret scanning services, including GitHub secret scanning, Sensitive Data Scanner, and GitGuardian.

## Permissions{% #permissions %}

PATs use the same permissions as application keys:

| Permission           | Description                                                    |
| -------------------- | -------------------------------------------------------------- |
| `user_app_keys`      | Create and manage your own PATs                                |
| `org_app_keys_read`  | View PATs for all users in the organization                    |
| `org_app_keys_write` | Create, edit, and revoke PATs for any user in the organization |

For more information about permissions, see [Role Based Access Control](https://docs.datadoghq.com/account_management/rbac/permissions.md).

## Audit Trail{% #audit-trail %}

If [Audit Trail](https://docs.datadoghq.com/account_management/audit_trail.md) is enabled for your organization, Audit Trail records all PAT creation, usage, and revocation events. Audit Trail captures the authentication method and token metadata for each API call made with a PAT, giving administrators visibility into credential usage across the organization.

To review PAT activity, navigate to [**Security** > **Compliance** > **Audit Trail**](https://app.datadoghq.com/audit-trail) and filter by the Personal Access Token authentication method.

## API reference{% #api-reference %}

Manage PATs programmatically through the Datadog API:

| Operation          | Endpoint                                         |
| ------------------ | ------------------------------------------------ |
| List PATs          | `GET /api/v2/personal_access_tokens`             |
| Create a PAT       | `POST /api/v2/personal_access_tokens`            |
| Get a specific PAT | `GET /api/v2/personal_access_tokens/<PAT_ID>`    |
| Update a PAT       | `PATCH /api/v2/personal_access_tokens/<PAT_ID>`  |
| Revoke a PAT       | `DELETE /api/v2/personal_access_tokens/<PAT_ID>` |

For the full API reference, see [Key Management](https://docs.datadoghq.com/api/latest/key-management.md).

## Key propagation delay{% #key-propagation-delay %}

PATs follow an eventual consistency model. After creation or revocation, changes may take a few seconds to propagate across all Datadog systems. Do not use a token immediately after creation in critical workflows. Implement a retry strategy with short exponential backoff to handle transient errors during the propagation window.