DataDog · anthony-dgx · May 26, 2025 · emubello · Jun 25, 2025 · jackakeller
@@ -16,6 +16,18 @@ API keys are unique to your organization. An [API key][1] is required by the Dat
 
 [Application keys][2], in conjunction with your organization's API key, give users access to Datadog's programmatic API. Application keys are associated with the user account that created them and by default have the permissions of the user who created them.
 
+### One-Time Read Mode
+
+One-Time Read (OTR) mode is a security feature that limits the visibility of application key secrets to creation time only. When enabled:
+
+- Application key secrets are only visible once, immediately after creation
+- The raw values cannot be retrieved later via the UI or API
+- You must securely store the key value when it is first displayed
+
+You can enable OTR mode in [Organization Settings][18].
+
+**Note**: For organizations created after [DATE TBD], OTR mode is enabled by default and cannot be disabled.
+
 ### Scopes 
 
 To better protect and secure your applications, you can specify authorization scopes for your application keys to define more granular permissions and minimize the access that applications have to your Datadog data. This gives you fine-grained access control over your applications and minimizes security vulnerabilities by limiting extraneous access. For example, an application that only reads dashboards does not need admin rights to manage users or delete any of your organization's data.
@@ -142,3 +154,4 @@ Need help? Contact [Datadog support][16].
 [15]: /api/latest/service-accounts/
 [16]: /help/
 [17]: /account_management/org_settings/service_accounts/
+[18]: https://app.datadoghq.com/organization-settings/
@@ -60,6 +60,19 @@ This section allows you to view, copy, and revoke any API key in the list. Your
 
 You can filter application keys by name, ID, or owner, or click the **Only My Keys** toggle to only view application keys you own. Read the [Application keys documentation][8] for more information on adding and removing keys.
 
+#### One-Time Read Mode
+
+If you have the `org_management` permission, you can enable One-Time Read (OTR) mode in Organization > Application Keys settings. When enabled:
+
+- All application key secrets in your organization become one-time read only
+- Key secrets are only visible immediately after creation
+- v1 Application Key APIs become unavailable
+
+**Note**: 
+- For organizations created after [DATE TBD], OTR mode is enabled by default and cannot be disabled
+- For existing organizations, once enabled, you have 3 months to disable the feature if needed. Each enablement starts a new 3-month period. After this period expires, OTR mode becomes permanent
+- Contact [Datadog Support][16] for early enforcement
+
 ### Roles
 
 To learn about default and custom roles in Datadog, read the [Role Based Access Control documentation][9].