Docs » Authentication and Security » Create and manage authentication tokens using Splunk Observability Cloud » Create and manage organization access tokens using Splunk Observability Cloud

Create and manage organization access tokens using Splunk Observability Cloud 🔗

Access tokens, also known as org tokens, are long-lived organization-level tokens. You can use access tokens in all API requests except those that require a token associated with a user who has administrative access. See Retrieve and manage user API access tokens using Splunk Observability Cloud for more information.

Use access tokens to:

  • Send data points to Splunk Observability Cloud with API calls.

  • Run scripts that call the API.

  • Manage your resource by tracking usage for different groups of users, services, teams, and so on. For example, you have users in the U.S. and Canada sending data to Splunk Observability Cloud. You can give each group its specific access token to compare the amount of data coming from each country.

Note

By default, only users who are administrators can search for and view all access tokens. You can change this default when you create or update an access token.

Power users who have access to tokens in an organization see a banner, but only admins will get an email saying that the tokens must be rotated.

Token expiry 🔗

Access tokens expire one year after the creation date. For access tokens created prior to February 28, 2022, the expiration date remains 5 years from the creation date. You can rotate a token before it expires using the Splunk Observability Cloud API. For details, see Rotate an access token.

All of an organizations admins will receive an email 30 days before a token in their org expires. The email includes a link to the Splunk Observability Cloud user interface that displays a list of expiring tokens. These email notifications are sent to all org admins and can’t be customized.

The default access token 🔗

By default, every organization has one organization-level access token. If you don’t create any additional tokens, every API request that sends data to Splunk Observability Cloud must use this access token.

Manage access tokens 🔗

To manage your access (org) tokens:

  1. Open the Settings menu.

  2. Select Access Tokens.

  3. To find the access token in a large list, start entering its name in the search box. Splunk Observability Cloud returns matching results.

  4. To look at the details for an access token, select the expand icon to the left of the token name.

    For information about the access token permissions allowed by the Authorization Scopes field value, see the permissions step in Create an access token.

  5. If you’re an organization administrator, the actions menu (⋯ icon) appears to the right side of the token listing. You can select token actions from this menu.

  6. To change the token visibility, follow these steps:

    1. To display the available permissions, select the right arrow in the Access Token Permissions box. The following permission options appear:

      • Only Admins can Read: Only admin users can view or read the new token. The token isn’t visible to other users.

      • Admins and Select Users or Teams can Read: Admin users and users or teams you select can view or read the new token. The token isn’t visible to anyone else.

      • Everyone can Read: Every user and team in the organization can view and read the token.

    2. To add permissions, select the left arrow below Access Token Permissions.

    3. If you selected Admins and Select Users or Teams can Read, select the users or teams to whom you want to give access:

      1. Select Add Team or User. Observability Cloud displays a list of teams and users in your organization.

      2. To find the team or username in a large list, start entering the name in the search box. Splunk Observability Cloud returns matching results. Select the user or team.

      3. If you need to add more teams or users, select Add Team or User again.

        Note

        You might see the following message in the middle of the dialog:

        You are currently giving permissions to a team with Restrict Access deactivated. This means any user can join this team and is able to access this Access Token.

        This message means that all users are able to join the team and then view or read the access token.

      4. To remove a team or user, select the delete icon (X) next to the team or username.

    4. To update the token, select Update.

View and copy access tokens 🔗

To view the value of an access token, select the token name and then select Show Token.

To copy the token value, select Copy. You don’t need to be an administrator to view or copy an access token.

Create an access token 🔗

Note

To do the following tasks, you must be an organization administrator.

To create an access token:

  1. Open the Observability Cloud main menu.

  2. Select Settings and select Access Tokens.

  3. Select New Token. If your organization has a long list of access tokens, you might need to scroll down to the bottom of the list to access this button.

  4. Enter a unique token name. If you enter a token name that is already in use, even if the token is inactive, Splunk Observability Cloud doesn’t accept the name.

  5. Select an authorization scope for the token from one of the following values:

    Note

    Assign only one authorization scope to each token. Applying both the API and Ingest authorization scopes to the same token might raise a security concern.

    • RUM Token: Select this authorization scope to use the token to authenticate with RUM ingest endpoints. These endpoints use the following base URL: https://rum-ingest.<REALM>.signalfx.com/v1/rum.

      Caution

      RUM displays the RUM token in URIs that are visible in a browser. To preserve security, you can’t assign the Ingest or API authorization scope to a RUM token.

    • Ingest Token: Select this authorization scope to use the token to authenticate with data ingestion endpoints. These endpoints use the following base URLs:

      • POST https://ingest.<REALM>.signalfx.com/v2/datapoint

      • POST https://ingest.<REALM>.signalfx.com/v2/datapoint/otlp

      • POST https://ingest.<REALM>.signalfx.com/v2/event

      • POST https://ingest.<REALM>.signalfx.com/v1/trace

      For information about these endpoints, see Sending data points .

      Note

      Use the ingest autorization scope for the Splunk Distribution of the OpenTelemetry Collector. See Get started with the Splunk Distribution of the OpenTelemetry Collector.

    • API Token: Select this authorization scope to use the token to authenticate with Splunk Observability Cloud endpoints. Example use cases are Terraform, programmatic usage of the API for business objects, and so on. These endpoints use the following base URLs:

      • https://api.<REALM>.signalfx.com

      • wss://stream.<REALM>.signalfx.com

      For information about these endpoints, see Summary of Splunk Observability Cloud API Endpoints .

  6. Edit the visibility permissions:

    1. To display the available permissions, select the right arrow in the Access Token Permissions box. The following permission options appear:

      • Only Admins can Read: Only admin users can view or read the new token. The token isn’t visible to other users.

      • Admins and Select Users or Teams can Read: Admin users and users or teams you select can view or read the new token. The token isn’t visible to anyone else.

      • Everyone can Read: Every user and team in the organization can view and read the token.

    2. To add permissions, select the left arrow below Access Token Permissions.

  7. If you selected Admins and Select Users or Teams can Read, select the users or teams to whom you want to give access:

    1. Select Add Team or User. Observability Cloud displays a list of teams and users in your organization.

    2. To find the team or username in a large list, start entering the name in the search box. Splunk Observability Cloud returns matching results. Select the user or team.

    3. To add more teams or users, select Add Team or User again.

      Note

      You might see the following message in the middle of the dialog:

      You are currently giving permissions to a team with Restrict Access deactivated. This means any user can join this team and can access this Access Token.

      This message means that all users are able to join the team and then view or read the access token.

    4. To remove a team or user, select the delete icon (X) next to the team or username.

  8. To create the new token, select Create.

Rotate an access token 🔗

You can rotate an access token using the Splunk Observability Cloud API. This creates a new secret for the token and deactivates the token’s previous secret. Optionally, you can provide a grace period before the previous token secret expires.

You can’t rotate tokens after they expire. If you don’t rotate a token before it expires, you must create a new token to replace it.

Note

You must be a Splunk Observability Cloud admin to rotate a token.

To rotate an access token, use the POST /token/{name}/rotate endpoint in the Splunk Observability Cloud API. An API call to rotate a token looks like this:

curl -X  POST "https://api.{realm}.signalfx.com/v2/token/{name}/rotate?graceful={gracePeriod}" \
   -H "Content-type: application/json" \
   -H "X-SF-TOKEN: <api-token-value>"

Follow these steps:

  1. Enter your Splunk realm in the realm field.

  2. Enter your API access token in the api-token-value field. To find or create an API access token, see Retrieve and manage user API access tokens using Splunk Observability Cloud.

  3. Provide the name of the token you want to rotate in the name field.

  4. Optionally, provide a grace period, in seconds, in the gracePeriod field.

  5. Call the API endpoint to rotate the token.

For example, the following API call rotates myToken and sets a grace period of 604800 seconds (7 days) before the previous token secret expires.

curl -X POST "https://api.us0.signalfx.com/v2/token/myToken/rotate?graceful=6048000" \
   -H "Content-type: application/json" \
   -H "X-SF-TOKEN: <123456abcd>"

To learn more about this endpoint and to see more examples of requests and responses, see the Splunk developer documentation .

Rename an access token 🔗

To rename a token:

  1. Select Edit Token from the token’s actions menu (⋯).

  2. Enter a new name for the token.

  3. Select OK.

Renaming a token does not affect the value of the token.

Note

For Cloud integrations (AWS, GCP, or Azure), after renaming an access token you need to select a new token name using the API. For AWS, you can also set up a new token in the UI.

Deactivate or activate an access token 🔗

Note

You can’t delete tokens. You can only deactivate them.

To deactivate a token, select Disable from the token’s actions menu (⋯ icon). The line that displays the token has a shaded background, which indicates that the token is inactive. The UI displays deactivated tokens at the end of the tokens list, after the activated tokens.

To activate a deactivated token, select Enable from the deactivated token’s actions menu (⋯ icon). The line that displays the token has a light background, which indicates that the token is inactive.