AgentSkillsCN

datadog-auth

排查 Datadog API 认证问题(401/403 错误),理解 API 密钥与应用密钥的区别,并配置正确的区域。适用于遇到认证错误或设置 Datadog API 访问权限时使用。

SKILL.md
--- frontmatter
name: datadog-auth
description: Troubleshoot Datadog API authentication issues (401/403 errors), understand API keys vs app keys, and configure correct regions. Use when hitting auth errors or setting up Datadog API access.

Datadog API Authentication

TL;DR

  • Most v2 endpoints require two headers:
    • DD-API-KEY — org-scoped API key (32 hex chars)
    • DD-APPLICATION-KEY — application key VALUE (secret; 40 hex chars)
  • Do not send key IDs (UUIDs) in headers. Always send the key values (secrets).
  • Pick the correct region/site (e.g., us3.datadoghq.com) so the base is https://api.<DD_SITE>.
  • Some APIs (including Incidents v2) do not support scoped app keys. Use an unscoped app key.

Terms at a Glance

ItemExampleUse in requests
API key (value)aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa (32 hex)Header DD-API-KEY
Application key (value, secret)bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb (40 hex)Header DD-APPLICATION-KEY
API key IDxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx (UUID)Not for auth
Application key IDyyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy (UUID)Not for auth

Regions / Sites

RegionAPI Base
US1https://api.datadoghq.com
US3https://api.us3.datadoghq.com
US5https://api.us5.datadoghq.com
EU1https://api.datadoghq.eu
AP1https://api.ap1.datadoghq.com
AP2https://api.ap2.datadoghq.com

Quick Validation

bash
# Test API key only (no app key needed)
curl -sS -H "DD-API-KEY: $DD_API_KEY" https://api.$DD_SITE/api/v1/validate

# Or use the CLI
dd validate

Common Errors

HTTPSymptomLikely causeFix
401UnauthorizedWrong app key value, wrong site/org, using key ID instead of valueUse the secret value, verify region
403scoped app keys not supportedUsing a scoped app keyUse an unscoped app key
403GenericMissing permission on owner's roleAdjust role permissions

Troubleshooting Checklist

  1. API key valid? Run dd validate
  2. Region mismatch? Check which site returns 200:
    bash
    for site in us3.datadoghq.com datadoghq.com datadoghq.eu; do
  code=$(curl -s -o /dev/null -w "%{http_code}" -H "DD-API-KEY: $DD_API_KEY" "https://api.$site/api/v1/validate")
  echo "$site -> $code"
done
  3. Copy/paste artifacts? Strip whitespace:
    bash
    export DD_APP_KEY="$(printf %s "$DD_APP_KEY" | tr -d '\r\n')"

Scoped vs Unscoped Application Keys

  • Unscoped: inherits permissions from its owner. Use when API doesn't support scoped keys.
  • Scoped: limited to listed scopes. Use for least privilege when supported.

If you see "This API does not support scoped app keys," use an unscoped app key.

References