Apps on Azure Blog

14 MIN READ

Get started with Datadog MCP server in Azure SRE Agent

dbandaru

Microsoft

Feb 25, 2026

Connect Azure SRE Agent to Datadog's observability platform using the official Datadog MCP server for logs, metrics, traces, incidents, and more.

Overview

The Datadog MCP server is a cloud-hosted bridge between your Datadog organization and Azure SRE Agent. Once configured, it enables real-time interaction with logs, metrics, APM traces, monitors, incidents, dashboards, and other Datadog data through natural language. All actions respect your existing Datadog RBAC permissions.

The server uses Streamable HTTP transport with two custom headers (DD_API_KEY and DD_APPLICATION_KEY) for authentication. Azure SRE Agent connects directly to the Datadog-hosted endpoint—no npm packages, local proxies, or container deployments are required. The SRE Agent portal includes a dedicated Datadog MCP server connector type that pre-populates the required header keys for streamlined setup.

Key capabilities

Area	Capabilities
Logs	Search and analyze logs with SQL-based queries, filter by facets and time ranges
Metrics	Query metric values, explore available metrics, get metric metadata and tags
APM	Search spans, fetch complete traces, analyze trace performance, compare traces
Monitors	Search monitors, validate configurations, inspect monitor groups and templates
Incidents	Search and get incident details, view timeline and responders
Dashboards	Search and list dashboards by name or tag
Hosts	Search hosts by name, tags, or status
Services	List services and map service dependencies
Events	Search events including monitor alerts, deployments, and custom events
Notebooks	Search and retrieve notebooks for investigation documentation
RUM	Search Real User Monitoring events for frontend observability

[!NOTE] This is the official Datadog-hosted MCP server (Preview). The server exposes 16+ core tools with additional toolsets available for alerting, APM, Database Monitoring, Error Tracking, feature flags, LLM Observability, networking, security, software delivery, and Synthetic tests. Tool availability depends on your Datadog plan and RBAC permissions.

Prerequisites

Azure SRE Agent resource deployed in Azure
Datadog organization with an active plan
Datadog user account with appropriate RBAC permissions
API key: Created from Organization Settings > API Keys
Application key: Created from Organization Settings > Application Keys with MCP Read and/or MCP Write permissions
Your organization must be allowlisted for the Datadog MCP server Preview

Step 1: Create API and Application keys

The Datadog MCP server requires two credentials: an API key (identifies your organization) and an Application key (authenticates the user and defines permission scope). Both are created in the Datadog portal.

Create an API key

Log in to your Datadog organization (use your region-specific URL if applicable—e.g., app.datadoghq.eu for EU1)
Select your account avatar in the bottom-left corner of the navigation bar
Select Organization Settings
In the left sidebar, select API Keys (under the Access section)
Direct URL: https://app.datadoghq.com/organization-settings/api-keys
Select + New Key in the top-right corner
Enter a descriptive name (e.g., sre-agent-mcp)
Select Create Key
Copy the key value immediately—it is shown only once. If lost, you must create a new key.

[!TIP] API keys are organization-level credentials. Any Datadog Admin or user with the API Keys Write permission can create them. The API key alone does not grant data access—it must be paired with an Application key.

Create an Application key

From the same Organization Settings page, select Application Keys in the left sidebar
Direct URL: https://app.datadoghq.com/organization-settings/application-keys
Select + New Key in the top-right corner
Enter a descriptive name (e.g., sre-agent-mcp-app)
Select Create Key
Copy the key value immediately—it is shown only once

Add MCP permissions to the Application key

After creating the Application key, you must grant it the MCP-specific scopes:

In the Application Keys list, locate the key you just created
Select the key name to open its detail panel
In the detail panel, find the Scopes section and select Edit
Search for MCP in the scopes search box
Check MCP Read to enable read access to Datadog data via MCP tools
Optionally check MCP Write if your agent needs to create or modify resources (e.g., feature flags, Synthetic tests)
Select Save

[!NOTE] If you don't see the MCP Read or MCP Write scopes, your organization may not be enrolled in the Datadog MCP server preview. Contact your Datadog account representative to request access.

Required permissions summary

Permission	Description	Required?
`MCP Read`	Read access to Datadog data via MCP tools (logs, metrics, traces, monitors, etc.)	Yes
`MCP Write`	Write access for mutating operations (creating feature flags, editing Synthetic tests, etc.)	Optional

[!IMPORTANT] For production use, create keys from a service account rather than a personal account. Navigate to Organization Settings > Service Accounts to create one. This ensures the integration continues to work if team members leave the organization. Apply the principle of least privilege—grant only MCP Read unless write operations are needed.

[!TIP] Use scoped Application keys to restrict access to only the permissions your agent needs. This limits blast radius if a key is compromised.

Step 2: Add the MCP connector

Connect the Datadog MCP server to your SRE Agent using the portal. The portal includes a dedicated Datadog connector type that pre-populates the required configuration.

Determine your regional endpoint

Select the endpoint URL that matches your Datadog organization's region:

Region	Endpoint URL
US1 (default)	`https://mcp.datadoghq.com/api/unstable/mcp-server/mcp`
US3	`https://mcp.us3.datadoghq.com/api/unstable/mcp-server/mcp`
US5	`https://mcp.us5.datadoghq.com/api/unstable/mcp-server/mcp`
EU1	`https://mcp.datadoghq.eu/api/unstable/mcp-server/mcp`
AP1	`https://mcp.ap1.datadoghq.com/api/unstable/mcp-server/mcp`
AP2	`https://mcp.ap2.datadoghq.com/api/unstable/mcp-server/mcp`

Using the Azure portal

In Azure portal, navigate to your SRE Agent resource
Select Builder > Connectors
Select Add connector
Select Datadog MCP server and select Next

Select "Datadog MCP server" as the connector type in the Add a connector dialog

Configure the connector:

Field	Value
Name	`datadog-mcp`
Connection type	Streamable-HTTP (pre-selected)
URL	`https://mcp.datadoghq.com/api/unstable/mcp-server/mcp` (change for non-US1 regions)
Authentication	Custom headers (pre-selected, disabled)
DD_API_KEY	Your Datadog API key
DD_APPLICATION_KEY	Your Datadog Application key

Select Next to review

Configure the Datadog MCP connector with the endpoint URL, DD_API_KEY, and DD_APPLICATION_KEY fields

Select Add connector

[!NOTE] The Datadog connector type pre-populates both header keys (DD_API_KEY and DD_APPLICATION_KEY) and sets the authentication method to "Custom headers" automatically. The default URL is the US1 endpoint—update it if your organization is in a different region.

[!NOTE] Once the connector shows Connected status, the Datadog MCP tools are automatically available to your agent. You can verify by checking the tools list in the connector details.

Connectors list showing datadog-mcp with Connected status

Step 3: Create a Datadog subagent (optional)

Create a specialized subagent to give the AI focused Datadog observability expertise and better prompt responses.

Navigate to Builder > Subagents
Select Add subagent
Paste the following YAML configuration:

api_version: azuresre.ai/v1
kind: AgentConfiguration
metadata:
  owner: your-team@contoso.com
  version: "1.0.0"
spec:
  name: DatadogObservabilityExpert
  display_name: Datadog Observability Expert

  system_prompt: |
    You are a Datadog observability expert with access to logs, metrics, APM
    traces, monitors, incidents, dashboards, hosts, services, and more via
    the Datadog MCP server.

    ## Capabilities

    ### Logs
    - Search logs using facets, tags, and time ranges with `search_datadog_logs`
    - Perform SQL-based log analysis with `analyze_datadog_logs` for aggregations,
      grouping, and statistical queries
    - Correlate log entries with traces and metrics

    ### Metrics
    - Query metric time series with `get_datadog_metric`
    - Get metric metadata, tags, and context with `get_datadog_metric_context`
    - Discover available metrics with `search_datadog_metrics`

    ### APM (Application Performance Monitoring)
    - Fetch complete traces with `get_datadog_trace`
    - Search distributed traces and spans with `search_datadog_spans`
    - Analyze service-level performance and latency patterns
    - Map service dependencies with `search_datadog_service_dependencies`

    ### Monitors & Alerting
    - Search monitors by name, tag, or status with `search_datadog_monitors`
    - Investigate triggered monitors and alert history
    - Correlate monitor alerts with underlying metrics and logs

    ### Incidents
    - Search incidents with `search_datadog_incidents`
    - Get incident details, timeline, and responders with `get_datadog_incident`
    - Correlate incidents with monitors, logs, and traces

    ### Infrastructure
    - Search hosts by name, tag, or status with `search_datadog_hosts`
    - List and discover services with `search_datadog_services`
    - Search dashboards with `search_datadog_dashboards`
    - Search events (monitor alerts, deployments) with `search_datadog_events`

    ### Notebooks
    - Search notebooks with `search_datadog_notebooks`
    - Retrieve notebook content with `get_datadog_notebook`

    ### Real User Monitoring
    - Search RUM events for frontend performance data with `search_datadog_rum_events`

    ## Best Practices

    When investigating incidents:
    - Start with `search_datadog_incidents` or `get_datadog_incident` for context
    - Check related monitors with `search_datadog_monitors`
    - Correlate with `search_datadog_logs` and `get_datadog_metric` for root cause
    - Use `get_datadog_trace` to inspect request flows for latency issues
    - Check `search_datadog_hosts` for infrastructure-level problems

    When analyzing logs:
    - Use `analyze_datadog_logs` for SQL-based aggregation queries
    - Use `search_datadog_logs` for individual log retrieval and filtering
    - Include time ranges to narrow results and reduce response size
    - Filter by service, host, or status to focus on relevant data

    When working with metrics:
    - Use `search_datadog_metrics` to discover available metric names
    - Use `get_datadog_metric_context` to understand metric tags and metadata
    - Use `get_datadog_metric` to query actual metric values with time ranges

    When handling errors:
    - If access is denied, explain which RBAC permission is needed
    - Suggest the user verify their Application key has `MCP Read` or `MCP Write`
    - For large traces that appear truncated, note this is a known limitation

  mcp_connectors:
    - datadog-mcp

  handoffs: []

Select Save

[!NOTE] The mcp_connectors field references the connector name you created in Step 2. This gives the subagent access to all tools provided by the Datadog MCP server.

Step 4: Add a Datadog skill (optional)

Skills provide contextual knowledge and best practices that help agents use tools more effectively. Create a Datadog skill to give your agent expertise in log queries, metric analysis, and incident investigation workflows.

Navigate to Builder > Skills
Select Add skill
Paste the following skill configuration:

api_version: azuresre.ai/v1
kind: SkillConfiguration
metadata:
  owner: your-team@contoso.com
  version: "1.0.0"
spec:
  name: datadog_observability
  display_name: Datadog Observability

  description: |
    Expertise in Datadog's observability platform including logs, metrics, APM,
    monitors, incidents, dashboards, hosts, and services. Use for searching logs,
    querying metrics, investigating incidents, analyzing traces, inspecting
    monitors, and navigating Datadog data via the Datadog MCP server.

  instructions: |
    ## Overview

    Datadog is a cloud-scale observability platform for logs, metrics, APM traces,
    monitors, incidents, infrastructure, and more. The Datadog MCP server enables
    natural language interaction with your organization's Datadog data.

    **Authentication:** Two custom headers—`DD_API_KEY` (API key) and
    `DD_APPLICATION_KEY` (Application key with MCP permissions). All actions
    respect existing RBAC permissions.

    **Regional endpoints:** The MCP server URL varies by Datadog region (US1,
    US3, US5, EU1, AP1, AP2). Ensure the connector URL matches your organization's
    region.

    ## Searching Logs

    Use `search_datadog_logs` for individual log retrieval and `analyze_datadog_logs`
    for SQL-based aggregation queries.

    **Common log search patterns:**

    ```
    # Errors from a specific service
    service:payment-api status:error

    # Logs from a host in the last hour
    host:web-prod-01

    # Logs containing a specific trace ID
    trace_id:abc123def456

    # Errors with a specific HTTP status
    @http.status_code:500 service:api-gateway

    # Logs from a Kubernetes pod
    kube_namespace:production kube_deployment:checkout-service
    ```

    **SQL-based log analysis with `analyze_datadog_logs`:**

    ```sql
    -- Count errors by service in the last hour
    SELECT service, count(*) as error_count
    FROM logs
    WHERE status = 'error'
    GROUP BY service
    ORDER BY error_count DESC

    -- Average response time by endpoint
    SELECT @http.url_details.path, avg(@duration) as avg_duration
    FROM logs
    WHERE service = 'api-gateway'
    GROUP BY @http.url_details.path
    ```

    ## Querying Metrics

    Use `search_datadog_metrics` to discover metrics, `get_datadog_metric_context`
    for metadata, and `get_datadog_metric` for time series data.

    **Common metric patterns:**

    ```
    # System metrics
    system.cpu.user, system.mem.used, system.disk.used

    # Container metrics
    docker.cpu.usage, kubernetes.cpu.requests

    # Application metrics
    trace.servlet.request.hits, trace.servlet.request.duration

    # Custom metrics
    app.payment.processed, app.queue.depth
    ```

    Always specify a time range when querying metrics to avoid retrieving
    excessive data.

    ## Investigating Traces

    Use `get_datadog_trace` for complete trace details and `search_datadog_spans`
    for span-level queries.

    **Trace investigation workflow:**
    1. Search for slow or errored spans with `search_datadog_spans`
    2. Get the full trace with `get_datadog_trace` using the trace ID
    3. Identify the bottleneck service or operation
    4. Correlate with `search_datadog_logs` using the trace ID
    5. Check related metrics with `get_datadog_metric`

    ## Working with Monitors

    Use `search_datadog_monitors` to find monitors by name, tag, or status.

    **Common monitor queries:**

    ```
    # Find all triggered monitors
    Search for monitors with status "Alert"

    # Find monitors for a specific service
    Search for monitors tagged with service:payment-api

    # Find monitors by name
    Search for monitors matching "CPU" or "memory"
    ```

    ## Incident Investigation Workflow

    For structured incident investigation:
    1. `search_datadog_incidents` — find recent or active incidents
    2. `get_datadog_incident` — get full incident details and timeline
    3. `search_datadog_monitors` — check which monitors triggered
    4. `search_datadog_logs` — search for errors around the incident time
    5. `get_datadog_metric` — check key metrics for anomalies
    6. `get_datadog_trace` — inspect request traces for latency or errors
    7. `search_datadog_hosts` — verify infrastructure health
    8. `search_datadog_service_dependencies` — map affected services

    ## Working with Dashboards and Notebooks

    - Use `search_datadog_dashboards` to find dashboards by title or tag
    - Use `search_datadog_notebooks` and `get_datadog_notebook` for investigation
      notebooks that document past analyses

    ## Toolsets

    The Datadog MCP server supports toolsets via the `?toolsets=` query parameter
    on the endpoint URL. Available toolsets:

    | Toolset | Description |
    |---------|-------------|
    | `core` | Logs, metrics, traces, dashboards, monitors, incidents, hosts, services, events, notebooks (default) |
    | `alerting` | Monitor validation, groups, and templates |
    | `apm` | Trace analysis, span search, Watchdog insights, performance investigation |
    | `dbm` | Database Monitoring query plans and samples |
    | `error-tracking` | Error Tracking issues across RUM, Logs, and Traces |
    | `feature-flags` | Creating, listing, and updating feature flags |
    | `llmobs` | LLM Observability spans |
    | `networks` | Cloud Network Monitoring, Network Device Monitoring |
    | `onboarding` | Guided Datadog setup and configuration |
    | `security` | Code security scanning, security signals, findings |
    | `software-delivery` | CI Visibility, Test Optimization |
    | `synthetics` | Synthetic test management |

    To enable additional toolsets, append `?toolsets=core,apm,alerting` to the
    connector URL.

    ## Troubleshooting

    | Issue | Solution |
    |-------|----------|
    | 401/403 errors | Verify API key and Application key are correct and active |
    | No data returned | Check that Application key has `MCP Read` permission |
    | Wrong region | Ensure the connector URL matches your Datadog organization's region |
    | Truncated traces | Large traces may be truncated; this is a known limitation |
    | Tool not found | The tool may require a non-default toolset; update the connector URL |
    | Write operations fail | Verify Application key has `MCP Write` permission |

  mcp_connectors:
    - datadog-mcp

Select Save

Reference the skill in your subagent

Update your subagent configuration to include the skill:

spec:
  name: DatadogObservabilityExpert
  skills:
    - datadog_observability
  mcp_connectors:
    - datadog-mcp

Step 5: Test the integration

Open a new chat session with your SRE Agent
Try these example prompts:

Log analysis

Search for error logs from the payment-api service in the last hour

Analyze logs to count errors by service over the last 24 hours

Find all logs with HTTP 500 status from the api-gateway in the last 30 minutes

Show me the most recent logs from host web-prod-01

Metrics investigation

What is the current CPU usage across all production hosts?

Show me the request rate and error rate for the checkout-service over the last 4 hours

What metrics are available for the payment-api service?

Get the p99 latency for the api-gateway service in the last hour

APM and trace analysis

Find the slowest traces for the checkout-service in the last hour

Get the full trace details for trace ID abc123def456

What services depend on the payment-api?

Search for errored spans in the api-gateway service from the last 30 minutes

Monitor and alerting workflows

Show me all monitors currently in Alert status

Find monitors related to the database-primary host

What monitors are tagged with team:platform?

Search for monitors matching "disk space" or "memory"

Incident investigation

Show me all active incidents from the last 24 hours

Get details for incident INC-12345 including the timeline

What monitors triggered during the last production incident?

Correlate the most recent incident with related logs and metrics

Infrastructure and dashboards

Search for hosts tagged with env:production and team:platform

List all dashboards related to "Kubernetes" or "EKS"

What services are running in the production environment?

Show me recent deployment events for the checkout-service

Available tools

Core toolset (default)

The core toolset is included by default and provides essential observability tools.

Tool	Description
`search_datadog_logs`	Search logs by facets, tags, and time ranges
`analyze_datadog_logs`	SQL-based log analysis for aggregations and statistical queries
`get_datadog_metric`	Query metric time series with rollup and aggregation
`get_datadog_metric_context`	Get metric metadata, tags, and related context
`search_datadog_metrics`	List and discover available metrics
`get_datadog_trace`	Fetch a complete distributed trace by trace ID
`search_datadog_spans`	Search APM spans by service, operation, or tags
`search_datadog_monitors`	Search monitors by name, tag, or status
`get_datadog_incident`	Get incident details including timeline and responders
`search_datadog_incidents`	List and search incidents
`search_datadog_dashboards`	Search dashboards by title or tag
`search_datadog_hosts`	Search hosts by name, tag, or status
`search_datadog_services`	List and search services
`search_datadog_service_dependencies`	Map service dependency relationships
`search_datadog_events`	Search events (monitor alerts, deployments, custom events)
`get_datadog_notebook`	Retrieve notebook content by ID
`search_datadog_notebooks`	Search notebooks by title or tag
`search_datadog_rum_events`	Search Real User Monitoring events

Alerting toolset

Enable with ?toolsets=core,alerting on the connector URL.

Tool	Description
`validate_datadog_monitor`	Validate monitor configuration before creation
`get_datadog_monitor_templates`	Get monitor configuration templates
`search_datadog_monitor_groups`	Search monitor groups and their statuses

APM toolset

Enable with ?toolsets=core,apm on the connector URL.

Tool	Description
`apm_search_spans`	Advanced span search with APM-specific filters
`apm_explore_trace`	Interactive trace exploration and analysis
`apm_trace_summary`	Get a summary analysis of a trace
`apm_trace_comparison`	Compare two traces side by side
`apm_analyze_trace_metrics`	Analyze aggregated trace metrics and trends

Database Monitoring toolset

Enable with ?toolsets=core,dbm on the connector URL.

Tool	Description
`search_datadog_dbm_plans`	Search database query execution plans
`search_datadog_dbm_samples`	Search database query samples and statistics

Error Tracking toolset

Enable with ?toolsets=core,error-tracking on the connector URL.

Tool	Description
`search_datadog_error_tracking_issues`	Search error tracking issues across RUM, Logs, and Traces
`get_datadog_error_tracking_issue`	Get details of a specific error tracking issue

Feature Flags toolset

Enable with ?toolsets=core,feature-flags on the connector URL.

Tool	Description
`list_datadog_feature_flags`	List feature flags
`create_datadog_feature_flag`	Create a new feature flag
`update_datadog_feature_flag_environment`	Update feature flag settings for an environment

LLM Observability toolset

Enable with ?toolsets=core,llmobs on the connector URL.

Tool	Description
LLM Observability spans	Query and analyze LLM Observability span data

Networks toolset

Enable with ?toolsets=core,networks on the connector URL.

Tool	Description
Cloud Network Monitoring tools	Analyze cloud network traffic and dependencies
Network Device Monitoring tools	Monitor and troubleshoot network devices

Security toolset

Enable with ?toolsets=core,security on the connector URL.

Tool	Description
`datadog_code_security_scan`	Run code security scanning
`datadog_sast_scan`	Run Static Application Security Testing
`datadog_secrets_scan`	Scan for secrets and credentials in code

Software Delivery toolset

Enable with ?toolsets=core,software-delivery on the connector URL.

Tool	Description
`search_datadog_ci_pipeline_events`	Search CI pipeline execution events
`get_datadog_flaky_tests`	Identify flaky tests in CI pipelines

Synthetics toolset

Enable with ?toolsets=core,synthetics on the connector URL.

Tool	Description
`get_synthetics_tests`	List and get Synthetic test configurations
`edit_synthetics_tests`	Edit Synthetic test settings
`synthetics_test_wizard`	Guided wizard for creating Synthetic tests

Toolsets

The Datadog MCP server organizes tools into toolsets. By default, only the core toolset is enabled. To enable additional toolsets, append the ?toolsets= query parameter to the connector URL.

Syntax

https://mcp.datadoghq.com/api/unstable/mcp-server/mcp?toolsets=core,apm,alerting

Examples

Use case	URL suffix
Default (core only)	No suffix needed
Core + APM analysis	`?toolsets=core,apm`
Core + Alerting + APM	`?toolsets=core,alerting,apm`
Core + Database Monitoring	`?toolsets=core,dbm`
Core + Security scanning	`?toolsets=core,security`
Core + CI/CD visibility	`?toolsets=core,software-delivery`
All toolsets	`?toolsets=core,alerting,apm,dbm,error-tracking,feature-flags,llmobs,networks,onboarding,security,software-delivery,synthetics`

[!TIP] Only enable the toolsets you need. Each additional toolset increases the number of tools exposed to the agent, which can increase token usage and may impact response quality. Start with core and add toolsets as needed.

Updating the connector URL

To add toolsets after initial setup:

Navigate to Builder > Connectors
Select the datadog-mcp connector
Update the URL field to include the ?toolsets= parameter
Select Save

Troubleshooting

Authentication issues

Error	Cause	Solution
`401 Unauthorized`	Invalid API key or Application key	Verify both keys are correct and active in Organization Settings
`403 Forbidden`	Missing RBAC permissions	Ensure the Application key has `MCP Read` and/or `MCP Write` permissions
Connection refused	Wrong regional endpoint	Verify the connector URL matches your Datadog organization's region
"Organization not allowlisted"	Preview access not granted	Contact Datadog support to request MCP server Preview access

Data and permission issues

Error	Cause	Solution
No data returned	Insufficient permissions or wrong time range	Verify Application key permissions; try a broader time range
Tool not found	Tool belongs to a non-default toolset	Add the required toolset to the `?toolsets=` parameter in the connector URL
Truncated trace data	Trace exceeds size limit	Large traces are truncated for context window efficiency; query specific spans instead
Write operation failed	Missing `MCP Write` permission	Add `MCP Write` permission to the Application key
Metric not found	Wrong metric name or no data in time range	Use `search_datadog_metrics` to discover available metric names

Verify the connection

Test the server endpoint directly:

curl -I "https://mcp.datadoghq.com/api/unstable/mcp-server/mcp" \
  -H "DD_API_KEY: <your_api_key>" \
  -H "DD_APPLICATION_KEY: <your_application_key>"

Expected response: 200 OK confirms authentication is working.

Re-authorize the integration

If you encounter persistent issues:

Navigate to Organization Settings > Application Keys in Datadog
Revoke the existing Application key
Create a new Application key with the required MCP Read/MCP Write permissions
Update the connector in the SRE Agent portal with the new key

Limitations

Limitation	Details
Preview only	The Datadog MCP server is in Preview and not recommended for production use
Allowlisted organizations	Only organizations that have been allowlisted by Datadog can access the MCP server
Large trace truncation	Responses are optimized for LLM context windows; large traces may be truncated
Unstable API path	The endpoint URL contains `/unstable/` indicating the API may change without notice
Toolset availability	Some toolsets may not be available depending on your Datadog plan and features enabled
Regional endpoints	You must use the endpoint matching your organization's region; cross-region queries are not supported

Security considerations

How permissions work

RBAC-scoped: All actions respect the RBAC permissions associated with the API and Application keys
Key-based: Access is controlled through API key (organization-level) and Application key (user or service account-level)
Permission granularity: MCP Read enables read operations; MCP Write enables mutating operations

Admin controls

Datadog administrators can: - Create and revoke API and Application keys in Organization Settings - Assign granular RBAC permissions (MCP Read, MCP Write) to Application keys - Use service accounts to decouple access from individual user accounts - Monitor MCP tool usage through the Datadog Audit Trail - Scope Application keys to limit the blast radius of compromised credentials

[!IMPORTANT] The Datadog MCP server can read sensitive operational data including logs, metrics, and traces. Use service accounts with scoped Application keys, grant only the permissions your agent needs, and monitor the Audit Trail for unusual activity.

Updated Feb 25, 2026

Version 3.0

azure sre agent