SignalFx Developers Guide

Authentication Tokens

SignalFx API calls use token-based authentication. The token is a SignalFx-supplied string you specify in the X-SF-TOKEN REST request header parameter. SignalFx has two types of tokens:

Org tokens

Known as Access Tokens in the SignalFx web UI, org tokens are long-lived organization-level tokens. By default, org tokens persist for 5 years, but the administrator for your SignalFx org can disable them earlier. Org tokens are best used in emitters that send data points over long periods of time.

Session tokens

Known as User API Access Tokens in the SignalFx web UI, session tokens are short-lived user-level tokens. Session tokens automatically expire after 30 days, but you can immediately create a new one. You can create create a session token on your profile page in the SignalFx web UI or by calling the POST method of the /session API endpoint.

Token requirements

The following endpoints require a specific token type:

Conversely, some endpoints can’t use specific token types:

All other endpoints can use either an org token or a session token.

Replace {REALM} with the appropriate realm for your organization. To learn more, see Endpoints and realms

Obtaining tokens

Both the web UI and the API have ways to manage tokens.

Web UI

To get the org token for your organization, go to the Organization Overview in the SignalFx web UI and click the Access Tokens option. SignalFx administrators can also get a new token or manage organization tokens in this location.

To get a session token, go to your profile page to generate a User API Access Token, or use the https://api.{REALM} API endpoint.


The endpoint https://api.{REALM} manages session tokens. You don’t need a token to create a session token, but you do need to specify the email and password of an organization member:

  • To create a session token, use POST.

  • To delete a session token, use DELETE.

The endpoint https://api.{REALM} manages org tokens. To use this endpoint, you need an existing access token for an organization member that has administrative permissions. You can create, retrieve, update, and delete org tokens:

Org tokens have an authentication secret that you can update using the URI POST https://api.{REALM}{name}/rotate. This disables the previous secret and generates a new secret.

© Copyright 2019 SignalFx.

Third-party license information