---
title: Service Access Tokens
description: >-
  Create and manage Service Access Tokens to authenticate Datadog API calls on
  behalf of a service account, without relying on individual user credentials.
breadcrumbs: Docs > Account Management > Service Access Tokens
---

# Service Access Tokens

{% callout %}
##### Join the Preview!

Service Access Tokens are in Preview.
{% /callout %}

## Overview{% #overview %}

Service Access Tokens (SATs) are credentials that authenticate Datadog API calls on behalf of a [service account](https://docs.datadoghq.com/account_management/org_settings/service_accounts.md). Unlike [Personal Access Tokens (PATs)](https://docs.datadoghq.com/account_management/personal-access-tokens.md), SATs belong to a service account rather than an individual user — they remain valid when team members join or leave the organization.

With SATs, you can:

- Authenticate automated workflows and scripts with credentials that remain valid after team members leave the organization.
- Create long-lived tokens for stable integrations that do not require periodic rotation.
- Scope tokens to the minimum permissions your workflow requires.
- Attribute all API activity to the owning service account for clear audit accountability.

### SATs compared to other credential types{% #sats-compared-to-other-credential-types %}

| Service Access Tokens     | Personal Access Tokens                                         | Application keys                                                         |
| ------------------------- | -------------------------------------------------------------- | ------------------------------------------------------------------------ |
| Owned by                  | Service account                                                | Individual user                                                          | Individual user or service account                                             |
| Time-to-live (TTL)        | Optional; 1 day, 1 month, 1 year, Never, or Custom             | Required; 1 day to 1 year                                                | No expiration                                                                  |
| Scoped by default         | Yes; scopes are mandatory                                      | Yes; scopes are mandatory                                                | Optional; unscoped by default                                                  |
| Standalone authentication | Yes; no API key pairing needed                                 | Yes; no API key pairing needed                                           | No; requires an API key                                                        |
| Identifiable prefix       | `ddsat_`                                                       | `ddpat_`                                                                 | `ddapp_` (new)                                                                 |
| Visible in                | Service account details, Organization Settings > Access Tokens | Personal Settings > Access Tokens, Organization Settings > Access Tokens | Personal Settings > Application Keys, Organization Settings > Application Keys |

For Personal Access Tokens, see [Personal Access Tokens](https://docs.datadoghq.com/account_management/personal-access-tokens.md).

## Prerequisites{% #prerequisites %}

- A Datadog service account. To create one, see [Service Accounts](https://docs.datadoghq.com/account_management/org_settings/service_accounts.md).
- The `service_account_write` permission to create SATs for a service account you manage.
- The `org_app_keys_write` permission to manage SATs for any service account in the organization.

## Create a Service Access Token{% #create-a-service-access-token %}

1. Navigate to [**Organization Settings** > **Service Accounts**](https://app.datadoghq.com/organization-settings/service-accounts) and click a service account.
1. In the details panel, under **Access Tokens**, click + New Token.
1. Enter a Name for the token.
1. Select an Expiration Date: **1 day**, **1 month**, **1 year**, **Never**, or **Custom**. Select **Never** for a token with no expiration.
1. Click Select Scopes to define what the token can access. Grant only the permissions your workflow requires, then click Save.

{% alert level="warning" %}
Datadog displays the token secret only once at creation time. Copy and store it securely. You cannot retrieve it later.
{% /alert %}

After you save, a details panel displays the token secret, name, Token ID, owner, owner roles, expiration date, and scopes.

## Use a Service Access Token{% #use-a-service-access-token %}

SATs support two authentication methods.

### Authorization header (recommended){% #authorization-header-recommended %}

Pass the SAT as a Bearer token in the `Authorization` header. This method does not require an API key:

```bash
curl -X GET "https://api.datadoghq.com/api/v2/users" \
  -H "Authorization: Bearer <YOUR_SAT>"
```

### Application key header{% #application-key-header %}

Pass the SAT in the `dd-application-key` header:

```bash
curl -X GET "https://api.datadoghq.com/api/v2/users" \
  -H "dd-application-key: <YOUR_SAT>"
```

**Note:** When a valid SAT is provided in the `dd-application-key` header, Datadog authenticates with the SAT only. The `dd-api-key` header is optional and its value is not evaluated.

## Manage Service Access Tokens{% #manage-service-access-tokens %}

### View tokens{% #view-tokens %}

A service account's tokens appear in the details panel under [**Organization Settings** > **Service Accounts**](https://app.datadoghq.com/organization-settings/service-accounts).

{% image
   source="https://docs.dd-static.net/images/account_management/service-access-tokens/sat-service-account-panel.39d5cfdb2aefdaed90896f36ffde84bc.png?auto=format&fit=max&w=850 1x, https://docs.dd-static.net/images/account_management/service-access-tokens/sat-service-account-panel.39d5cfdb2aefdaed90896f36ffde84bc.png?auto=format&fit=max&w=850&dpr=2 2x"
   alt="Service account details panel showing the Access Tokens section with two Service Access Tokens listed." /%}

Organization administrators with the `org_app_keys_read` permission can also view all SATs alongside Personal Access Tokens from [**Organization Settings** > **Access Tokens**](https://app.datadoghq.com/organization-settings/access-tokens).

### Revoke a token{% #revoke-a-token %}

1. Navigate to [**Organization Settings** > **Service Accounts**](https://app.datadoghq.com/organization-settings/service-accounts) and click the service account.
1. In the details panel, hover over the token and click Revoke.

Alternatively, revoke a SAT from [**Organization Settings** > **Access Tokens**](https://app.datadoghq.com/organization-settings/access-tokens).

Revoked tokens can no longer authenticate API calls. Revocation takes effect within seconds.

### Edit a token{% #edit-a-token %}

You can update the name and scopes of an existing SAT. You cannot modify the expiration date after creation. To change the expiration, revoke the token and create a new one.

## Permissions{% #permissions %}

| Permission              | Description                                            |
| ----------------------- | ------------------------------------------------------ |
| `service_account_write` | Create SATs for service accounts you manage            |
| `org_app_keys_read`     | View SATs for all service accounts in the organization |
| `org_app_keys_write`    | Create, edit, and revoke SATs for any service account  |

For more information, see [Role Based Access Control](https://docs.datadoghq.com/account_management/rbac/permissions.md).

## Audit Trail{% #audit-trail %}

If [Audit Trail](https://docs.datadoghq.com/account_management/audit_trail.md) is enabled, it records all SAT creation, usage, and revocation events. Each API call authenticated with a SAT is attributed to the owning service account. This gives administrators visibility into automated credential usage across the organization.

To review SAT activity, navigate to [**Security** > **Compliance** > **Audit Trail**](https://app.datadoghq.com/audit-trail) and filter by the Service Access Token authentication method.

## API reference{% #api-reference %}

Manage SATs programmatically through the Datadog API:

| Operation          | Endpoint                                                                        |
| ------------------ | ------------------------------------------------------------------------------- |
| List SATs          | `GET /api/v2/service_accounts/<SERVICE_ACCOUNT_ID>/access_tokens`               |
| Create a SAT       | `POST /api/v2/service_accounts/<SERVICE_ACCOUNT_ID>/access_tokens`              |
| Get a specific SAT | `GET /api/v2/service_accounts/<SERVICE_ACCOUNT_ID>/access_tokens/<TOKEN_ID>`    |
| Update a SAT       | `PATCH /api/v2/service_accounts/<SERVICE_ACCOUNT_ID>/access_tokens/<TOKEN_ID>`  |
| Revoke a SAT       | `DELETE /api/v2/service_accounts/<SERVICE_ACCOUNT_ID>/access_tokens/<TOKEN_ID>` |

To retrieve all PATs and SATs across users and service accounts in a single call, use the unified endpoint:

```
GET /api/v2/personal_access_tokens
```

## Further reading{% #further-reading %}

- [Service Accounts](https://docs.datadoghq.com/account_management/org_settings/service_accounts.md)
- [Personal Access Tokens](https://docs.datadoghq.com/account_management/personal-access-tokens.md)
- [Cloud-Based Authentication](https://docs.datadoghq.com/account_management/cloud_provider_authentication.md)