Skip to main content
Datadog exposes an MCP server, but it doesn’t connect with a single OAuth click. It authenticates with token headers — a Datadog API key plus an application key scoped to MCP permissions — and its URL is specific to your Datadog site (region).
When you connect a Datadog MCP URL, MCP Manager’s authentication detection lands on Token in custom headers — Datadog doesn’t use OAuth for this server. You’ll provide two header values rather than approving a consent screen.
This guide is a convenience based on Datadog’s setup at the time of writing. Datadog’s own MCP Server documentation is authoritative and may be more current. The requirements below — enabling MCP, scoping keys, the region-specific URL — come from Datadog, not from MCP Manager. If a step here has drifted or a connection problem is specific to how Datadog works, Datadog support is the fastest path to an answer.

Before you start

Bring the following before you open MCP Manager:
  • A Datadog account on a commercial site. Datadog government sites are not supported.
  • Admin access to enable MCP, or an administrator who can. MCP is an organization-level toggle that’s off until someone turns it on.
  • Your Datadog site (region). The MCP URL differs per site — datadoghq.com (US1), us5.datadoghq.com, datadoghq.eu, and so on. You can see your site in the URL bar when you’re logged into Datadog. This is the detail people most often get wrong.
  • The ability to create a service account and an application key, with the mcp_read permission (and mcp_write only if you need write access).
Use a dedicated service account (for example, MCP Manager <support@mcpmanager.ai>) rather than your personal Datadog login. The connection then survives someone leaving the team, and every Datadog action through MCP Manager is attributable to a clearly named non-human identity.

Connect the server

1

Enable MCP at the organization level

A Datadog administrator turns MCP on org-wide: Organization Settings → Preferences, then toggle on MCP Access. Enable MCP Write Access only if your users need to create or modify resources — leave it off for read-only access.
2

Create a dedicated service account

In Organization Settings → Service Accounts, create an account for the connection — for example, name it MCP Manager with the email mcp-manager-service-account@yourdomain.com. This is the identity the keys will belong to.
3

Grant the service account MCP permissions

Make sure the service account’s role has the mcp_read permission (Organization Settings → Roles → edit the role → Permissions → search mcp). Add mcp_write only if you enabled write access in step 1 and your users need it.
PermissionGrants
mcp_readRead-only access to monitors, logs, dashboards, services
mcp_writeCreate and modify resources
4

Create an API key and an application key

Datadog’s MCP server needs two keys:
  • An API key — created at Organization Settings → API Keys. This identifies your organization.
  • An application key — created on the service account at Organization Settings → Service Accounts → (your account). Scope it to mcp_read (and mcp_write if needed).
Copy both values now; the application key is shown only once.
5

Resolve the MCP URL for your site

The MCP endpoint is your Datadog site with an mcp. prefix and the path /api/unstable/mcp-server/mcp:
Datadog siteMCP server URL
datadoghq.com (US1)https://mcp.datadoghq.com/api/unstable/mcp-server/mcp
us3.datadoghq.com (US3)https://mcp.us3.datadoghq.com/api/unstable/mcp-server/mcp
us5.datadoghq.com (US5)https://mcp.us5.datadoghq.com/api/unstable/mcp-server/mcp
datadoghq.eu (EU1)https://mcp.datadoghq.eu/api/unstable/mcp-server/mcp
ap1.datadoghq.com (AP1)https://mcp.ap1.datadoghq.com/api/unstable/mcp-server/mcp
ap2.datadoghq.com (AP2)https://mcp.ap2.datadoghq.com/api/unstable/mcp-server/mcp
These are the six commercial sites Datadog supports. The rule is the same for each: prepend mcp. to your site domain. If you want to restrict which tools are exposed, you can append ?toolsets=all (or a narrower set) to the URL.
6

Add the server in MCP Manager

On the Servers page, add a server, paste your region-specific URL, and click Continue. Detection resolves to Token in custom headers; provide the two headers:
Headers
DD_API_KEY: <your-api-key>
DD_APPLICATION_KEY: <your-application-key>
Save, and MCP Manager will store both values encrypted and attach them to every request it makes to Datadog. The server’s tools are now available to add to a gateway.

Gotchas & things to keep in mind

  • Region mismatch is the #1 failure. The MCP host is tied to your Datadog site — mcp.datadoghq.com, mcp.us5.datadoghq.com, and mcp.datadoghq.eu are different servers. Using the wrong one fails to connect even with valid keys. Confirm your site before pasting.
  • You need both keys, with the exact header names. The API key and application key are different things, and Datadog’s header names use underscoresDD_API_KEY and DD_APPLICATION_KEY — not the hyphenated form (DD-API-KEY) you might expect from typical HTTP headers. Copy them exactly as shown in Datadog’s official example.
  • unstable in the path is expected. Datadog’s MCP server is a preview API (note /api/unstable/ in the URL). The endpoint and its tools may change as Datadog evolves it.
  • Read vs. write is governed in two places. It’s off unless both the org-level MCP Write Access toggle and the role’s mcp_write permission are enabled. Leave write off unless you specifically need it — it’s the safer default and easy to grant later.
  • This is a shared, service-account credential. Because Datadog uses token headers rather than per-user OAuth here, everyone on the gateway acts as the service account. Make the identity Global if the team is meant to share it, and rely on MCP Manager’s logs (not Datadog’s) for per-person attribution. See per-user versus shared identity.
  • Government sites aren’t supported. Datadog doesn’t offer the MCP Server on its FedRAMP/GovCloud sites (ddog-gov.com, us2.ddog-gov.com) — it’s a preview feature not yet available in that environment. This is a Datadog-side limitation, not an MCP Manager one.
  • Rate limits apply per user: roughly 50 requests / 10 seconds, 5,000 calls per day, and 50,000 per month. High-volume agents should expect throttling.

Further reading

Find & Connect MCP Servers

How MCP Manager detects authentication type, and how to find other servers’ URLs.

Token in custom headers

The authentication method Datadog uses, in depth.

Export logs to Datadog

The other direction — stream MCP Manager’s audit logs into Datadog.

Identities for remote servers

Private versus Global availability for the credential you just created.

External sources

Datadog MCP Server documentation

Datadog’s authoritative reference for the MCP Server — availability, capabilities, and the supported sites.

Set Up the Datadog MCP Server

Datadog’s own setup steps, including the per-site MCP URL selector.