Language

English Français 日本語 한국어 Español

Datadog Site

Site help
US1 US3 US5 EU AP1 AP2 US1-FED

Authorization scopes for OAuth clients

Scopes are an authorization mechanism that allow you to limit and define the specific access applications have to an organization’s Datadog data. When authorized to access data on behalf of a user or service account, applications can only access the information explicitly permitted by their assigned scopes.

This page lists only the authorization scopes that can be assigned to OAuth clients. To view the full list of assignable permissions for scoped application keys, see Datadog Role Permissions.
  • OAuth clients → Can only be assigned authorization scopes (limited set).
  • Scoped application keys → Can be assigned any Datadog permission.

The best practice for scoping applications is to follow the principle of least privilege. Assign only the minimum scopes necessary for an application to function as intended. This enhances security and provides visibility into how applications interact with your organization’s data. For example, a third-party application that only reads dashboards does not need permissions to delete or manage users.

You can use authorization scopes with OAuth2 clients for your Datadog Apps.

API Management, Synthetics

Scope name

Description

Endpoints that require this scope

apm_api_catalog_read

View API catalog and API definitions.

Get all global variables
List APIs
Get an API

apm_api_catalog_write

Add, modify, and delete API catalog definitions.

Delete an API
Update an API
Create a new API

synthetics_global_variable_read

View, search, and use Synthetics global variables.

Get all global variables
Get a global variable

synthetics_global_variable_write

Create, edit, and delete global variables for Synthetics.

Create a global variable
Delete a global variable
Edit a global variable

synthetics_private_location_read

View, search, and use Synthetics private locations.

Get all locations (public and private)
Get a private location

synthetics_private_location_write

Create and delete private locations in addition to having access to the associated installation guidelines.

Create a private location
Delete a private location
Edit a private location

synthetics_read

List and view configured Synthetic tests and test results.

Get details of batch
Get the list of all Synthetic tests
Get an API test
Get a browser test
Get a browser test's latest results summaries
Get a browser test result
Get a Mobile test
Search Synthetic tests
Fetch uptime for multiple tests
Get a test configuration
Get an API test's latest results summaries
Get an API test result

synthetics_write

Create, edit, and delete Synthetic tests.

Create a test
Create an API test
Edit an API test
Create a browser test
Edit a browser test
Delete tests
Create a mobile test
Edit a Mobile test
Trigger Synthetic tests
Trigger tests from CI/CD pipelines
Patch a Synthetic test
Edit a test
Pause or start a test

CI Visibility Pipelines, CI Visibility Tests

Scope name

Description

Endpoints that require this scope

ci_visibility_read

View CI Visibility.

Aggregate pipelines events
Get a list of pipelines events
Search pipelines events
Aggregate tests events
Get a list of tests events
Search tests events

test_optimization_read

View Test Optimization.

Aggregate tests events
Get a list of tests events
Search tests events

Case Management, Error Tracking

Scope name

Description

Endpoints that require this scope

cases_read

View Cases.

Search cases
Get all projects
Get the details of a project
Get the details of a case
Update the assignee of an issue

cases_write

Create and update cases.

Create a case
Create a project
Remove a project
Archive case
Assign case
Update case attributes
Update case priority
Update case status
Unarchive case
Unassign case
Update the assignee of an issue

error_tracking_read

Read Error Tracking data.

Search error tracking issues
Get the details of an error tracking issue
Update the assignee of an issue
Update the state of an issue

error_tracking_write

Edit Error Tracking issues.

Update the assignee of an issue
Update the state of an issue

Cloud Cost Management

Scope name

Description

Endpoints that require this scope

cloud_cost_management_read

View Cloud Cost pages and the cloud cost data source in dashboards and notebooks. For more details, see the Cloud Cost Management docs.

List Cloud Cost Management AWS CUR configs
List Cloud Cost Management Azure configs
Get a budget
List budgets
List Custom Costs files
Get Custom Costs file
List Cloud Cost Management GCP Usage Cost configs

cloud_cost_management_write

Configure cloud cost accounts and global customizations. For more details, see the Cloud Cost Management docs.

Create Cloud Cost Management AWS CUR config
Delete Cloud Cost Management AWS CUR config
Update Cloud Cost Management AWS CUR config
Create Cloud Cost Management Azure configs
Delete Cloud Cost Management Azure config
Update Cloud Cost Management Azure config
Create or update a budget
Delete a budget
Upload Custom Costs file
Delete Custom Costs file
Create Cloud Cost Management GCP Usage Cost config
Delete Cloud Cost Management GCP Usage Cost config
Update Cloud Cost Management GCP Usage Cost config

Dashboard Lists, Dashboards, Powerpack

Scope name

Description

Endpoints that require this scope

dashboards_read

View dashboards.

Get all dashboards
Get all dashboard lists
Get a dashboard list
Get a shared dashboard
Get a dashboard
Get items of a Dashboard List
Get all powerpacks
Get a Powerpack

dashboards_write

Create and change dashboards.

Delete dashboards
Restore deleted dashboards
Create a new dashboard
Create a dashboard list
Delete a dashboard list
Update a dashboard list
Delete a dashboard
Update a dashboard
Create a new powerpack
Delete a powerpack
Update a powerpack

dashboards_embed_share

Create, modify, and delete shared dashboards with share type 'embed'.

Create a shared dashboard
Revoke a shared dashboard URL
Update a shared dashboard

dashboards_invite_share

Create, modify, and delete shared dashboards with share type 'invite'.

Create a shared dashboard
Revoke a shared dashboard URL
Update a shared dashboard
Revoke shared dashboard invitations
Get all invitations for a shared dashboard
Send shared dashboard invitation email

dashboards_public_share

Generate public and authenticated links to share dashboards or embeddable graphs externally.

Create a shared dashboard
Revoke a shared dashboard URL
Update a shared dashboard

Datasets, Roles, Users

Scope name

Description

Endpoints that require this scope

user_access_manage

Disable users, manage user roles, manage SAML-to-role mappings, and configure logs restriction queries.

Create a dataset
Create role
Delete role
Update a role
Create a new role by cloning an existing role
Revoke permission
Grant permission to a role
Remove a user from a role
Add a user to a role
Disable a user
Update a user

user_access_read

View users and their roles and settings.

List all users
Get all datasets
List permissions
List roles
Get a role
List permissions for a role
Get all users of a role
List all users
Get user details
Get a user permissions

user_access_invite

Invite other users to your organization.

Send invitation emails
Get a user invitation
Create a user

Domain Allowlist, Downtimes, IP Allowlist, Monitors

Scope name

Description

Endpoints that require this scope

monitors_write

Edit, delete, and resolve individual monitors.

Create a monitor
Delete a monitor
Edit a monitor
Mute a monitor
Unmute a monitor
Get Domain Allowlist
Sets Domain Allowlist

org_management

Edit org configurations, including authentication and certain security preferences such as configuring SAML, renaming an org, configuring allowed login methods, creating child orgs, subscribing & unsubscribing from apps in the marketplace, and enabling & disabling Remote Configuration for the entire organization.

Get Domain Allowlist
Sets Domain Allowlist
Get IP Allowlist
Update IP Allowlist

monitors_downtime

Set downtimes to suppress alerts from any monitor in an organization. Mute and unmute monitors. The ability to write monitors is not required to set downtimes.

Schedule a downtime
Cancel downtimes by scope
Cancel a downtime
Update a downtime
Get all downtimes
Schedule a downtime
Cancel a downtime
Get a downtime
Update a downtime
Get active downtimes for a monitor

monitors_read

View monitors.

Get all downtimes
Get a downtime
Get all monitors
Check if a monitor can be deleted
Monitors group search
Monitors search
Validate a monitor
Get a monitor's details
Get active downtimes for a monitor
Validate an existing monitor
Get all monitor notification rules
Get a monitor notification rule
Get all monitor configuration policies
Get a monitor configuration policy
Get all monitor user templates
Get a monitor user template

Domain Allowlist, Downtimes, Monitors

Scope name

Description

Endpoints that require this scope

monitors_write

Edit, delete, and resolve individual monitors.

Create a monitor
Delete a monitor
Edit a monitor
Mute a monitor
Unmute a monitor
Get Domain Allowlist
Sets Domain Allowlist

org_management

Edit org configurations, including authentication and certain security preferences such as configuring SAML, renaming an org, configuring allowed login methods, creating child orgs, subscribing & unsubscribing from apps in the marketplace, and enabling & disabling Remote Configuration for the entire organization.

Get Domain Allowlist