Docs » Create and manage authentication tokens using Splunk Observability Cloud » Create and manage organization access tokens using Splunk Observability Cloud

Create and manage organization access tokens using Splunk Observability Cloud 🔗

Access tokens, also known as org tokens, are long-lived organization-level tokens.

Use access tokens to:

  • Send data points to Infrastructure Monitoring with API calls.

  • Run scripts that call the API.

  • Manage your resource by tracking usage for different groups of users, services, teams, and so on. For example, you have users in the U.S. and Canada sending data to Infrastructure Monitoring. You can give each group its specific access token to compare the amount of data coming from each country.

You can’t use access tokens for API requests associated with an administrator. See Retrieve and manage user API access tokens using Splunk Observability Cloud for more information.

Access tokens expire one year after the creation date. For access tokens created prior to February 28, 2022, the expiration date remains 5 years from the creation date.

Note

By default, only users who are administrators can search for and view all access tokens. You can change this default when you create or update an access token.

The default access token 🔗

By default, every organization has one organization-level access token. If you don’t create any additional tokens, every API request that sends data to Infrastructure Monitoring must use this access token.

Manage access tokens 🔗

To manage your access (org) tokens:

  1. Open the Settings menu.

  2. Select Access Tokens.

  3. To find the access token in a large list, start entering its name in the search box. Infrastructure Monitoring returns matching results.

  4. To look at the details for an access token, select the expand icon to the left of the token name.

    For information about the access token permissions enabled by the Authorization Scopes field value, see the permissions step in Create an access token.

  5. If you’re an organization administrator, the actions menu (⋯ icon) appears on the right side of the token listing. You can select token actions from this menu.

  6. To change the token visibility, follow these steps:

    1. To display the available permissions, select the right arrow in the Access Token Permissions box. The following permission options appear:

      • Only Admins can Read: Only admin users can view or read the new token. The token isn’t visible to other users.

      • Admins and Select Users or Teams can Read: Admin users and users or teams you select can view or read the new token. The token isn’t visible to anyone else.

      • Everyone can Read: Every user and team in the organization can view and read the token.

    2. To add permissions, select the left arrow below Access Token Permissions.

    3. If you selected Admins and Select Users or Teams can Read, select the users or teams to whom you want to give access:

      1. Select Add Team or User. Observability Cloud displays a list of teams and users in your organization.

      2. To find the team or username in a large list, start entering the name in the search box. Infrastructure Monitoring returns matching results. Select the user or team.

      3. If you need to add more teams or users, select Add Team or User again.

        Note

        You might see the following message in the middle of the dialog:

        You are currently giving permissions to a team with Restrict Access disabled. This means any user may join this team and will be able to access this Access Token.

        This message means that all users are able to join the team and then view or read the access token.

      4. To remove a team or user, select the delete icon (X) next to the team or username.

    4. To update the token, select Update.

View and copy access tokens 🔗

To view the value of an access token, select the token name and then select Show Token.

To copy the token value, select Copy. You don’t need to be an administrator to view or copy an access token.

Create an access token 🔗

Note

To do the following tasks, you must be an organization administrator.

To create an access token:

  1. Open the Observability Cloud main menu.

  2. Select Settings and select Access Tokens.

  3. Select New Token. If your organization has a long list of access tokens, you might need to scroll down to the bottom of the list to access this button.

  4. Enter a unique token name. If you enter a token name that is already in use, even if the token is disabled, Infrastructure Monitoring doesn’t accept the name.

  5. Select an authorization scope for the token from one of the following values:

    Tip

    Assign only one authorization scope to each token. Applying both the API and Ingest authorization scopes to the same token might raise a security concern.

    • RUM Token: Select this authorization scope to use the token to authenticate with RUM ingest endpoints. These endpoints use the following base URL: https://rum-ingest.<REALM>.signalfx.com/v1/rum.

      Caution

      RUM displays the RUM token in URIs that are visible in a browser. To preserve security, you can’t assign the Ingest or API authorization scope to a RUM token.

    • Ingest Token: Select this authorization scope to use the token to authenticate with data ingestion endpoints. These endpoints use the following base URLs:

      • POST https://ingest.<REALM>.signalfx.com/v2/datapoint

      • POST https://ingest.<REALM>.signalfx.com/v2/datapoint/otlp

      • POST https://ingest.<REALM>.signalfx.com/v2/event

      • POST https://ingest.<REALM>.signalfx.com/v1/trace

      For information about these endpoints, see Send Monitoring Metrics and Custom Events.

    • API Token: Select this authorization scope to use the token to authenticate with Infrastructure Monitoring endpoints. Example use cases are Terraform, programmatic usage of the API for business objects, and so on. These endpoints use the following base URLs:

      • https://api.<REALM>.signalfx.com

      • wss://stream.<REALM>.signalfx.com

      For information about these endpoints, see Summary of Splunk Infrastructure Monitoring API Endpoints.

  6. Edit the visibility permissions:

    1. To display the available permissions, select the right arrow in the Access Token Permissions box. The following permission options appear:

      • Only Admins can Read: Only admin users can view or read the new token. The token isn’t visible to other users.

      • Admins and Select Users or Teams can Read: Admin users and users or teams you select can view or read the new token. The token isn’t visible to anyone else.

      • Everyone can Read: Every user and team in the organization can view and read the token.

    2. To add permissions, select the left arrow below Access Token Permissions.

  7. If you selected Admins and Select Users or Teams can Read, specify the users or teams to whom you want to give access:

    1. Select Add Team or User. Observability Cloud displays a list of teams and users in your organization.

    2. To find the team or username in a large list, start entering the name in the search box. Infrastructure Monitoring returns matching results. Select the user or team.

    3. To add more teams or users, select Add Team or User again.

      Note

      You might see the following message in the middle of the dialog:

      You are currently giving permissions to a team with Restrict Access disabled. This means any user may join this team and will be able to access this Access Token.

      This message means that all users are able to join the team and then view or read the access token.

    4. To remove a team or user, select the delete icon (X) next to the team or username.

  8. To create the new token, select Create.

Rename an access token 🔗

To rename a token:

  1. Select Edit Token from the token’s actions menu (⋯ icon).

  2. Enter a new name for the token.

  3. Select OK.

Renaming a token does not affect the value of the token.

Disable or enable an access token 🔗

Note

You can’t delete tokens; you can only disable them.

To disable a token, select Disable from the token’s actions menu (⋯ icon). The line that displays the token has a shaded background, which indicates that the token is disabled. The UI displays disabled tokens at the end of the tokens list, after the enabled tokens.

To enable a disabled token, select Enable from the disabled token’s actions menu (⋯ icon). The line that displays the token has a light background, which indicates that the token is enabled.