From efa90975f81b44770210c06e6bd9df5efbc1f95e Mon Sep 17 00:00:00 2001 From: Reilly Wood Date: Fri, 3 Jul 2026 11:55:04 -0700 Subject: [PATCH 1/2] Add PAT/SAT authentication to MCP Server setup docs Document Personal and Service Access Tokens as the preferred header-based auth option for the MCP Server, passed as a bearer token in the Authorization header. Verified against the MCP server that a PAT authenticates this way. Keep OAuth as the recommended method for most users, and the API and application key pair as the other header option. Links out to the PAT/SAT docs for scopes and token management. Co-Authored-By: Claude Opus 4.8 (1M context) --- content/en/mcp_server/setup.md | 39 ++++++++++++++++++++++++++++++++-- 1 file changed, 37 insertions(+), 2 deletions(-) diff --git a/content/en/mcp_server/setup.md b/content/en/mcp_server/setup.md index 567f941e511..6f2098386d0 100644 --- a/content/en/mcp_server/setup.md +++ b/content/en/mcp_server/setup.md @@ -739,7 +739,40 @@ Organization administrators can manage global MCP access and write capabilities ## Authentication -The MCP Server uses OAuth 2.0 for [authentication][14]. If you cannot go through the OAuth flow (for example, on a server), you can provide a Datadog [API key and application key][1] as `DD_API_KEY` and `DD_APPLICATION_KEY` HTTP headers. +For most users, OAuth 2.0 is the recommended authentication method, and your MCP client handles it during setup. Use one of the header-based methods below only when you cannot complete the OAuth flow, for example on a server or in a CI environment. + +### OAuth 2.0 (recommended) + +Most clients complete the OAuth 2.0 flow automatically during setup. Select your client at the top of this page for instructions. With OAuth, you don't manage long-lived credentials directly. For details, see the [MCP authorization specification][14]. + +### Personal or Service Access Token + +For header-based authentication, a Datadog [Personal Access Token (PAT)][66] or [Service Access Token (SAT)][67] is the preferred option. Pass the token as a bearer token in the `Authorization` header. No API key is required: + +{{< site-region region="us,us3,us5,eu,ap1,ap2" >}} +For example, based on your selected [Datadog site][17] ({{< region-param key="dd_site_name" >}}): + +
{
+  "mcpServers": {
+    "datadog": {
+      "type": "http",
+      "url": "{{< region-param key="mcp_server_endpoint" >}}",
+      "headers": {
+          "Authorization": "Bearer <YOUR_ACCESS_TOKEN>"
+      }
+    }
+  }
+}
+
+ +[17]: /getting_started/site/#navigate-the-datadog-documentation-by-site +{{< /site-region >}} + +Use a PAT for an individual user or a SAT for a [service account][13]. For scopes, token management, and other authentication methods, see the [PAT][66] and [SAT][67] documentation. + +### API and application keys + +Alternatively, provide a Datadog [API key and application key][1] as `DD_API_KEY` and `DD_APPLICATION_KEY` HTTP headers: {{< site-region region="us,us3,us5,eu,ap1,ap2,uk1" >}} For example, based on your selected [Datadog site][17] ({{< region-param key="dd_site_name" >}}): @@ -892,4 +925,6 @@ Local authentication is recommended for Cline and when remote authentication is [62]: https://www.datadoghq.com/product-preview/datadog-agent-mcp/ [63]: /cloud_cost_management/ [64]: https://github.com/features/copilot/cli -[65]: https://awesome-copilot.github.com/plugins/#file=plugins%2Fdatadog \ No newline at end of file +[65]: https://awesome-copilot.github.com/plugins/#file=plugins%2Fdatadog +[66]: /account_management/personal-access-tokens/ +[67]: /account_management/service-access-tokens/ From 7d14aba21542c17ab251588b6b1c432eb9e49e7c Mon Sep 17 00:00:00 2001 From: Joe Peeples Date: Mon, 6 Jul 2026 09:07:10 -0400 Subject: [PATCH 2/2] Apply suggestions from code review --- content/en/mcp_server/setup.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/mcp_server/setup.md b/content/en/mcp_server/setup.md index 6f2098386d0..f7d891a4cc9 100644 --- a/content/en/mcp_server/setup.md +++ b/content/en/mcp_server/setup.md @@ -747,7 +747,7 @@ Most clients complete the OAuth 2.0 flow automatically during setup. Select your ### Personal or Service Access Token -For header-based authentication, a Datadog [Personal Access Token (PAT)][66] or [Service Access Token (SAT)][67] is the preferred option. Pass the token as a bearer token in the `Authorization` header. No API key is required: +For header-based authentication, a Datadog [Personal Access Token (PAT)][66] or [Service Access Token (SAT)][67] is the preferred option. Pass the token as a bearer token in the `Authorization` header. No API key is required. {{< site-region region="us,us3,us5,eu,ap1,ap2" >}} For example, based on your selected [Datadog site][17] ({{< region-param key="dd_site_name" >}}):