For years, authenticating to Datadog APIs meant managing two separate credentials: an API key and an application key. That model worked well when most API activity came from developers running scripts or a small number of integrations. But modern infrastructure looks very different. Today, Datadog APIs are accessed by CI/CD pipelines, Terraform workflows, autonomous systems, and increasingly, AI agents operating across teams and environments.
To support those new access patterns, Datadog is introducing a new authentication model built around four purpose-specific approaches: Personal Access Tokens (PATs), Service Access Tokens (SATs), workload identity federation, and customer-managed OAuth clients. Together, these capabilities provide scoped, identity-aware authentication designed for both human users and non-human workloads.
In this post, we’ll discuss:
Why Datadog is updating its API authentication Datadog’s new API authentication modelWhat happens to existing application keysHow to choose the right authentication model for your use case
Why Datadog is updating its API authentication
