> ## Documentation Index
> Fetch the complete documentation index at: https://docs.mcpmanager.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Connect Datadog

> Connect Datadog's MCP server to MCP Manager: enable MCP at the organization level, create a dedicated service account, generate an application key scoped to mcp_read (and optionally mcp_write), resolve the region-specific MCP URL for your Datadog site, and add the server with DD-API-KEY and DD-APPLICATION-KEY headers.

Datadog exposes an MCP server, but it doesn't connect with a single OAuth click. It authenticates with **token headers** — a Datadog **API key** plus an **application key** scoped to MCP permissions — and its URL is **specific to your Datadog site** (region).

<Note>
  When you connect a Datadog MCP URL, MCP Manager's [authentication detection](/mcp-server-guides/overview#how-mcp-manager-detects-the-authentication-type) lands on **Token in custom headers** — Datadog doesn't use OAuth for this server. You'll provide two header values rather than approving a consent screen.
</Note>

<Info>
  This guide is a convenience based on Datadog's setup at the time of writing. **Datadog's own [MCP Server documentation](https://docs.datadoghq.com/mcp_server/) is authoritative** and may be more current. The requirements below — enabling MCP, scoping keys, the region-specific URL — come from Datadog, not from MCP Manager. If a step here has drifted or a connection problem is specific to how Datadog works, **Datadog support** is the fastest path to an answer.
</Info>

## Before you start

Bring the following before you open MCP Manager:

* **A Datadog account on a commercial site.** Datadog **government** sites are not supported.
* **Admin access to enable MCP**, or an administrator who can. MCP is an organization-level toggle that's off until someone turns it on.
* **Your Datadog site (region).** The MCP URL differs per site — `datadoghq.com` (US1), `us5.datadoghq.com`, `datadoghq.eu`, and so on. You can see your site in the URL bar when you're logged into Datadog. This is the detail people most often get wrong.
* **The ability to create a service account and an application key**, with the `mcp_read` permission (and `mcp_write` only if you need write access).

<Tip>
  Use a **dedicated service account** (for example, `MCP Manager <mcp-manager-service-account@yourdomain.com>`) rather than your personal Datadog login. The connection then survives someone leaving the team, and every Datadog action through MCP Manager is attributable to a clearly named non-human identity.
</Tip>

## Connect the server

<Steps>
  <Step title="Enable MCP at the organization level">
    A Datadog administrator turns MCP on org-wide: **Organization Settings → Preferences**, then toggle on **MCP Access**. Enable **MCP Write Access** only if your users need to create or modify resources — leave it off for read-only access.
  </Step>

  <Step title="Create a dedicated service account">
    In **Organization Settings → Service Accounts**, create an account for the connection — for example, name it `MCP Manager` with the email `mcp-manager-service-account@yourdomain.com`. Assign whatever role makes sense for your use case, but we recommend selecting the least amount of privilege required for your use case. Make note of the role you selected, as you'll need it in the next step.
  </Step>

  <Step title="Grant the service account MCP permissions">
    Make sure the service account's role has the `mcp_read` permission (**Organization Settings → Roles →** edit the role **→ Permissions →** search `mcp`). Add `mcp_write` only if you enabled write access in step 1 and your users need it.

    | Permission  | Grants                                                   |
    | ----------- | -------------------------------------------------------- |
    | `mcp_read`  | Read-only access to monitors, logs, dashboards, services |
    | `mcp_write` | Create and modify resources                              |
  </Step>

  <Step title="Create an API key and an application key">
    Datadog's MCP server needs **two** keys:

    * An **API Key** — created at **Organization Settings → API Keys**. This identifies your organization.
    * An **Application Key** — created on the service account at **Organization Settings → Service Accounts →** ***(your account)***. Scope it to `mcp_read` (and `mcp_write` if needed).

    <Info>
      **Do not** be misled by the root level **Application Keys** navigation item, for maximum security and control create your **Application Keys** through a **Service Account**.
    </Info>

    Copy both values now; the application key is shown only once.
  </Step>

  <Step title="Resolve the MCP URL for your site">
    The MCP endpoint is your Datadog site with an `mcp.` prefix and the path `/api/unstable/mcp-server/mcp`:

    | Datadog site              | MCP server URL                                              |
    | ------------------------- | ----------------------------------------------------------- |
    | `datadoghq.com` (US1)     | `https://mcp.datadoghq.com/api/unstable/mcp-server/mcp`     |
    | `us3.datadoghq.com` (US3) | `https://mcp.us3.datadoghq.com/api/unstable/mcp-server/mcp` |
    | `us5.datadoghq.com` (US5) | `https://mcp.us5.datadoghq.com/api/unstable/mcp-server/mcp` |
    | `datadoghq.eu` (EU1)      | `https://mcp.datadoghq.eu/api/unstable/mcp-server/mcp`      |
    | `ap1.datadoghq.com` (AP1) | `https://mcp.ap1.datadoghq.com/api/unstable/mcp-server/mcp` |
    | `ap2.datadoghq.com` (AP2) | `https://mcp.ap2.datadoghq.com/api/unstable/mcp-server/mcp` |

    These are the six commercial sites Datadog supports. The rule is the same for each: prepend `mcp.` to your site domain. If you want to restrict which tools are exposed, you can append `?toolsets=all` (or a narrower set) to the URL.
  </Step>

  <Step title="Add the server in MCP Manager">
    On the [Servers](https://app.mcpmanager.ai/settings/servers) page, add a server, paste your region-specific URL. DataDog's server URL should be automatically detected and you will be prompted to fill out the following two headers:

    ```text Headers theme={null}
    DD_API_KEY: <your-api-key>
    DD_APPLICATION_KEY: <your-application-key>
    ```

    Save, and MCP Manager will store both values encrypted and attach them to every request it makes to Datadog. The server's tools are now available to add to a gateway.
  </Step>
</Steps>

## Gotchas & things to keep in mind

* **Region mismatch is the #1 failure.** The MCP host is tied to your Datadog site — `mcp.datadoghq.com`, `mcp.us5.datadoghq.com`, and `mcp.datadoghq.eu` are *different servers*. Using the wrong one fails to connect even with valid keys. Confirm your site before pasting.
* **You need both keys, with the exact header names.** The API key and application key are different things, and Datadog's header names use **underscores** — `DD_API_KEY` and `DD_APPLICATION_KEY` — not the hyphenated form (`DD-API-KEY`) you might expect from typical HTTP headers. Copy them exactly as shown in Datadog's official example.
* **`unstable` in the path is expected.** Datadog's MCP server is a preview API (note `/api/unstable/` in the URL). The endpoint and its tools may change as Datadog evolves it.
* **Read vs. write is governed in two places.** It's off unless both the org-level **MCP Write Access** toggle *and* the role's `mcp_write` permission are enabled. Leave write off unless you specifically need it — it's the safer default and easy to grant later.
* **This is a shared, service-account credential.** Because Datadog uses token headers rather than per-user OAuth here, everyone on the gateway acts as the service account. Make the identity **Global** if the team is meant to share it, and rely on MCP Manager's logs (not Datadog's) for per-person attribution. See [per-user versus shared identity](/security/authentication-and-identity#per-user-identity-versus-shared-identity).
* **Government sites aren't supported.** Datadog doesn't offer the MCP Server on its FedRAMP/GovCloud sites (`ddog-gov.com`, `us2.ddog-gov.com`) — it's a preview feature not yet available in that environment. This is a Datadog-side limitation, not an MCP Manager one.
* **Rate limits apply per user:** roughly 50 requests / 10 seconds, 5,000 calls per day, and 50,000 per month. High-volume agents should expect throttling.

## Further reading

<CardGroup cols={2}>
  <Card title="Find & Connect MCP Servers" icon="compass" href="/mcp-server-guides/overview">
    How MCP Manager detects authentication type, and how to find other servers' URLs.
  </Card>

  <Card title="Token in custom headers" icon="key" href="/security/authentication-and-identity#token-in-custom-headers">
    The authentication method Datadog uses, in depth.
  </Card>

  <Card title="Export logs to Datadog" icon="chart-line" href="/enterprise/export-to-siem/datadog">
    The other direction — stream MCP Manager's audit logs into Datadog.
  </Card>

  <Card title="Identities for remote servers" icon="id-badge" href="/mcp-gateway-concepts/mcp-servers/remote#identities-for-remote-servers">
    Private versus Global availability for the credential you just created.
  </Card>
</CardGroup>

## External sources

<CardGroup cols={2}>
  <Card title="Datadog MCP Server documentation" icon="dog" href="https://docs.datadoghq.com/mcp_server/">
    Datadog's authoritative reference for the MCP Server — availability, capabilities, and the supported sites.
  </Card>

  <Card title="Set Up the Datadog MCP Server" icon="gear" href="https://docs.datadoghq.com/mcp_server/setup/">
    Datadog's own setup steps, including the per-site MCP URL selector.
  </Card>
</CardGroup>
