Activation required. AI access management must be enabled for your tenant before you can use it. To get started, contact the C1 support team for a walkthrough.
- An API key identifies your organization to Datadog.
- An application key authorizes a user or role to read and write data.
How C1 connects to Datadog
C1 hosts the Datadog MCP server, so your users’ AI clients only ever see MCP tools — they never call Datadog directly. When an AI client calls one of these tools, C1 makes the matching request to the Datadog REST API using the credentials you configure here, then returns the result to the AI client. The credentials you set up below are what C1 uses to call Datadog on your users’ behalf.Before you begin
- AI access management must be enabled for your tenant. See Enable AI access management.
- You need a Datadog user with permission to manage keys, typically the Datadog Admin role.
- Know which Datadog site your organization uses. See Find your Datadog site.
Find your Datadog site
Datadog hosts each organization on a regional site with its own API host. You’ll select this site when you register the server in C1. To find yours, match the host in your browser’s address bar while you’re signed in to Datadog.| Site | Web host | API host |
|---|---|---|
| US1 | app.datadoghq.com | api.datadoghq.com |
| US3 | us3.datadoghq.com | api.us3.datadoghq.com |
| US5 | us5.datadoghq.com | api.us5.datadoghq.com |
| EU1 | app.datadoghq.eu | api.datadoghq.eu |
| AP1 | ap1.datadoghq.com | api.ap1.datadoghq.com |
| AP2 | ap2.datadoghq.com | api.ap2.datadoghq.com |
| US1-FED | app.ddog-gov.com | api.ddog-gov.com |
| US2-FED | us2.ddog-gov.com | api.us2.ddog-gov.com |
Create a Datadog API key
Create an API key in your Datadog organization to identify it to C1.
API keys are organization-level. They don’t expire by default and aren’t tied to a specific user.
Create a Datadog application key
Create an application key to authorize C1 to call the Datadog API.Optional. Under Authorization Scopes, select Limit Authorization Scopes and grant only the scopes your tools need. The right scopes depend on which Datadog tools you plan to expose — read-only tools need scopes like
dashboards_read and monitors_read, while tools that take action (such as creating monitors or updating incidents) need the corresponding write scopes. For a full list of available scopes, see Datadog’s API and application keys reference. If you don’t limit scopes, the application key inherits all of the creating user’s permissions.How Datadog credentials are shared
The Datadog MCP server uses a single shared credential. The API key and application key you provide are used for every user’s tool calls, so Datadog sees all activity as one identity — the user or service account that owns the application key. C1 still attributes each call to the individual user who made it in the AI tool usage audit log. To keep that shared identity attributable to C1 rather than a person, create the application key from a dedicated service-account user, as described in Create a Datadog application key. For how shared and per-user credentials work across MCP servers, see Configure authentication.Register the Datadog MCP server in C1
With both keys ready, register the server and provide your credentials.Follow Register an MCP server and select Datadog from the catalog.
When you configure authentication, provide the credentials Datadog needs:
- Your Datadog site from Find your Datadog site
- Your API key
- Your application key
Discover and govern tools
After you register the server, C1 runs tool discovery against Datadog. Discovered tools appear on the server’s Tools tab. Each tool starts as either Pending review or automatically Approved, depending on the option chosen when the server was set up or your tenant’s default tool settings in Settings > AI Connections. See Require tool approval and Default tool classification for details. Before anyone can call a Datadog tool, it must be approved, added to a toolset, and bound to an access profile. Continue to Govern tools and toolsets to complete this setup.Tool discovery runs even if your credentials are incorrect, so seeing discovered tools doesn’t confirm that authentication is working. You confirm your Datadog credentials when an approved user successfully calls a Datadog tool from their AI client.
Manage your Datadog credentials
You can rotate either key or adjust the application key’s scopes at any time without re-registering the server.- Rotate the API key in Organization Settings > API Keys in Datadog, then update the credential on the server’s authentication settings in C1.
- Rotate the application key the same way under Application Keys. If you used a service-account user, keep that account active so the key stays valid.
- Adjust scopes at any time by editing the application key’s authorization scopes in Datadog.