Skip to main content

Documentation Index

Fetch the complete documentation index at: https://onecli.sh/docs/llms.txt

Use this file to discover all available pages before exploring further.

Datadog is available on the Cloud plan only.

Overview

OneCLI connects AI agents to Datadog using an API key and application key. Agents can query metrics, list monitors, check incident status, and view dashboard data. The gateway injects both keys into requests to the Datadog API automatically. This is useful for on-call agents that need to investigate incidents, coding agents that check deployment metrics, or reporting agents that pull monitoring data.

How it works

OneCLI is two things in one: a credential vault and a request gateway. When an agent makes a request to Datadog, it flows through OneCLI’s gateway. At request time, two things happen:
  1. Secret injection: OneCLI injects the API key and application key into the outgoing request. The agent itself never sees the raw credentials.
  2. Request inspection: OneCLI evaluates the request against your rules before it leaves. If the request violates a policy (e.g., an agent tries to send a sensitive identifier to Datadog, or attempts a write operation you haven’t allowed), OneCLI blocks it. The request never reaches Datadog.
This means OneCLI protects more than just the API key. It controls what data the agent can read and write through the Datadog API.

Direct API, not MCP

The Datadog integration goes through the Datadog API directly, using Datadog’s agent skills. There is no MCP server in the middle. Your agent calls the Datadog API, and OneCLI’s gateway intercepts the request, applies your rules, injects the credentials, and forwards it. This gives you full visibility and control over every request.
For a deeper look at the gateway architecture, see How it works.

Prerequisites

Before connecting Datadog to OneCLI, you need three things from your Datadog account:
CredentialWhat it isWhere to find it
API KeyAuthenticates requests to the Datadog APIOrganization Settings > API Keys
Application KeyScopes access to specific Datadog featuresOrganization Settings > Application Keys
Datadog SiteThe regional site for your account (e.g., us1, us3, us5, eu, ap1)Check your browser URL bar; the subdomain before .datadoghq.com is your site

Getting your API key

  1. Log in to Datadog.
  2. Go to Organization Settings > API Keys (or navigate to https://app.datadoghq.com/organization-settings/api-keys).
  3. Click + New Key, give it a name like OneCLI, and click Create Key.
  4. Copy the key immediately. Datadog only shows it once.

Getting your application key

  1. In Datadog, go to Organization Settings > Application Keys (or navigate to https://app.datadoghq.com/organization-settings/application-keys).
  2. Click + New Key, name it OneCLI, and click Create Key.
  3. Copy the key immediately.
Create dedicated keys for OneCLI rather than reusing existing ones. This makes it easy to rotate or revoke access later without affecting other integrations.

Finding your Datadog site

Your Datadog site depends on the region you selected when you created your account. Check the URL you use to log in:
Login URLSite value
app.datadoghq.comus1
us3.datadoghq.comus3
us5.datadoghq.comus5
app.datadoghq.eueu
ap1.datadoghq.comap1

Setup

1

Go to Connections

Open the OneCLI dashboard and navigate to Connections > Datadog.
2

Enter your credentials

Click Connect Datadog. In the connection dialog, enter your Application Key, API Key, and Datadog Site, then click Connect Datadog.
OneCLI Datadog connection dialog requesting Application Key, API Key, and Datadog Site
3

Verify

After connecting, the Datadog connection will show as Connected in your dashboard. OneCLI stores your keys encrypted and injects them into agent requests through the gateway. Your keys are never exposed to the agent itself.

What agents can do

  • Query time-series metrics with custom queries and time ranges
  • List monitors and their current statuses (OK, Alert, Warn, No Data)
  • Get details for a specific monitor, including recent state changes
  • List active incidents and their severity, timeline, and postmortem status
  • Query dashboard widget data
  • Search and read log entries
  • List hosts and their tags
  • Query infrastructure metrics (CPU, memory, disk, network)
  • Check SLO (Service Level Objective) status and error budgets
  • Read and create events

Controlling access with rules

Use OneCLI’s rules engine to limit what agents can do with Datadog. For example, you can restrict agents to read-only access so they can query metrics and monitors but cannot modify alert configurations, or limit queries to specific time ranges. Rules are evaluated before credential injection, so a blocked request never reaches Datadog.