Skip to content

add documentation for secret refresh on invalid api-key #32973

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 8 commits into
base: master
Choose a base branch
from
Open

add documentation for secret refresh on invalid api-key #32973

Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
76688eb
add documentation for secret refresh on invalid api-key
s-alad Nov 20, 2025
df9e706
reword
s-alad Nov 20, 2025
b203a52
markdown lint
s-alad Nov 20, 2025
657feab
update wording
s-alad Nov 20, 2025
6a446b5
Update content/en/agent/configuration/secrets-management.md
s-alad Nov 21, 2025
7b41a49
Update content/en/agent/configuration/secrets-management.md
s-alad Nov 21, 2025
6f3b3a4
Update content/en/agent/configuration/secrets-management.md
s-alad Nov 21, 2025
8a1287f
update secret_refresh_on_api_key_failure_interval value
s-alad Nov 21, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions content/en/agent/configuration/secrets-management.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -650,6 +650,22 @@ To refresh manually, use:
datadog-agent secret refresh
```

### Automatic secrets refresh on API key failure / invalidation

Starting in Agent version v7.74, the Agent can automatically refresh secrets when it detects an invalid API key. This happens when the Agent receives a 403 Forbidden response from Datadog or when the periodic health check detects an invalid or expired API key.

To enable this feature, set `secret_refresh_on_api_key_failure_interval` to an interval in minutes in your `datadog.yaml` file. Set to `0` to disable (default).

This interval is the minimum amount of time between 2 refreshes to avoid spamming your secrets management solution when an invalid API key is detected.

```yaml
api_key: ENC[<secret_handle>]

secret_refresh_on_api_key_failure_interval: 10
```

This setting is compatible with `secret_refresh_interval`.

### Enabling DDOT collector refresh
If you are using [DDOT collector][6] and want to enable API/APP refresh you must add the following additional configuration to your `datadog.yaml` file:
```
Expand Down
Loading