What is the difference between a Sentry DSN and an API Token?

A DSN (Data Source Name) is primarily for Sentry SDKs to send application events (errors, performance data) to a specific Sentry project. An API Token (API Key) is for programmatic access to the Sentry REST API for tasks like managing projects, issues, or releases.

Where can I find my Sentry DSN?

You can find your Sentry DSN by logging into Sentry, navigating to your project settings, and then going to 'Client Keys (DSN)'. It will be listed there for your specific project.

How do I secure my Sentry API Tokens?

Secure API Tokens by never hardcoding them in source code. Store them in environment variables, secret management services, or secure configuration files. Grant only the minimum necessary permissions (scopes) and rotate them regularly.

Can I use the same DSN for multiple projects?

No, each Sentry DSN is unique to a single project. To send events to different Sentry projects, you must use the DSN specifically generated for each respective project.

What are scopes for Sentry API Keys?

Scopes define the specific permissions an API Key has within Sentry, such as 'event:read' to read events or 'project:write' to modify project settings. You should always select the most restrictive scopes necessary for the token's function.

Is Sentry's DSN safe to expose in client-side applications?

The public key portion of a DSN is designed to be exposed client-side, as it's necessary for SDKs to send event data. However, treat the entire DSN including the secret section as sensitive and ensure all event transmission occurs over HTTPS, which Sentry SDKs do by default.

How do I revoke a Sentry API Token?

You can revoke a Sentry API Token by logging into Sentry, going to 'Settings > Organization Settings > API Keys', finding the token, and selecting the option to revoke or delete it. This is important if a token is compromised.

Sentry Authentication: Methods, Setup & Security (2026)

Sentry authentication offers secure methods for connecting applications and services to its platform for error and performance monitoring. This process typically involves configuring a Data Source Name (DSN) in an application's SDK or using API tokens for direct interaction with the Sentry API. Proper authentication ensures data integrity and secure communication of event data.

Authentication overview

Sentry implements distinct authentication mechanisms tailored for different interaction points:

Data Source Name (DSN): Primarily used by Sentry's SDKs to enable applications to send event data (errors, performance, session replays) to the correct Sentry project. A DSN contains a public key and secret key, along with project-specific endpoint information.
API Tokens (API Keys): Utilized for programmatic access to the Sentry Web API. These tokens grant specific permissions, allowing external applications or scripts to read, write, or modify Sentry data, such as managing projects, issues, or users.
Auth Tokens (User Auth Tokens): Employed for user authentication against the Sentry user interface and for command-line tools like sentry-cli. These tokens are tied to a specific user account and inherit that user's permissions.

Each method is designed to provide secure and scoped access, ensuring that events are ingested correctly and API interactions are authorized according to the principle of least privilege. Understanding the appropriate use case for each token type is fundamental to securely integrating with Sentry.

Supported authentication methods

Sentry supports several authentication methods to accommodate various integration needs, from client-side error reporting to server-side API automation. The choice of method depends on the context of the interaction and the level of access required.

Method	When to Use	Security Level / Best Practice
Data Source Name (DSN)	Client-side SDKs to send event data (errors, transactions, sessions) from an application to a Sentry project.	High. DSNs include a public key for client-side use and a secret key for server-side use (though typically only the public key is exposed client-side). Events are secured via HTTPS. The DSN itself does not grant API access beyond event ingestion.
API Tokens (API Keys)	Programmatic interaction with the Sentry REST API for tasks like fetching issues, creating releases, or managing projects from backend services or scripts.	High. These are bearer tokens. Scope permissions to the minimum required. Store securely (e.g., environment variables, secret managers). Rotate regularly. Never expose client-side.
Auth Tokens (User Auth Tokens)	Authenticating a user with the Sentry UI or `sentry-cli` for administrative tasks, script execution, or custom integrations that require full user permissions.	High. Tied to a user account. Inherits user permissions. Use with caution; limit scope if possible. Store securely and revoke if compromised. Consider OAuth 2.0 for third-party applications needing user authorization.
Organization Auth Tokens	Similar to API tokens but scoped at the organization level, offering broader permissions across all projects within an organization.	Very High. Grants significant access. Use only when necessary for organization-wide automation. Apply strict scope limitations. Store with utmost security.
SAML / SSO	Enterprise environments requiring centralized identity management and single sign-on capabilities for Sentry users.	Very High. Leverages existing identity providers (IdP) for user authentication, reducing credential sprawl and enforcing corporate security policies.

Getting your credentials

Acquiring the necessary Sentry credentials depends on the type of access required:

Data Source Name (DSN)

Log in to your Sentry account.
Navigate to the specific project for which you need the DSN.
Go to Settings > Projects > [Your Project Name] > Client Keys (DSN).
You will find the DSN listed, typically including a public key and secret key. For client-side SDKs, you generally only need the public portion or the full DSN if the SDK handles parsing.
Refer to the Sentry documentation for your specific platform on how to configure the DSN in your application's SDK.

API Tokens (API Keys)

Log in to your Sentry account.
Navigate to Settings > Organization Settings > API Keys.
Click Create New API Key.
Define the required scopes (permissions) for the token. For example, for reading issues, select event:read and project:read. Granting minimal permissions is a critical security practice.
Provide a descriptive name for the API key to identify its purpose.
Click Create Key. The token will be displayed once. Copy it immediately, as it will not be shown again.

Auth Tokens (User Auth Tokens)

Log in to your Sentry account.
Click on your user avatar in the top right corner and select API Keys.
Click Create New Token.
Select the scopes that reflect the actions this token needs to perform on your behalf. For example, to use sentry-cli for release management, you might need project:write, org:read, and release:write.
Provide a name for the token.
Click Create Token. Copy the token immediately, as it will not be retrievable later.

For SAML/SSO configurations, administrators will typically configure the integration within the Sentry Organization Settings, linking Sentry to an existing Identity Provider (IdP) for user authentication.

Authenticated request example

The method for making an authenticated request depends on the credential type being used.

DSN-based SDK event ingestion

When using a Sentry SDK, you typically initialize the SDK with your DSN. The SDK then handles the secure transmission and authentication of events to Sentry. Here's a Python example:


import sentry_sdk

sentry_sdk.init(
    dsn="YOUR_SENTRY_DSN_HERE",
    traces_sample_rate=1.0,
)

def divide_by_zero():
    1 / 0

try:
    divide_by_zero()
except ZeroDivisionError:
    sentry_sdk.capture_exception()

print("Exception sent to Sentry (check your project dashboard).")

In this example, YOUR_SENTRY_DSN_HERE is replaced with the DSN obtained from your Sentry project settings. The Sentry SDK automatically includes the necessary authentication details for event ingestion.

API Token-based Web API request

For direct interaction with the Sentry REST API, API tokens are used as Bearer tokens in the Authorization header. This example fetches organization details using curl:


curl -X GET \
  -H "Authorization: Bearer YOUR_API_TOKEN_HERE" \
  "https://sentry.io/api/0/organizations/YOUR_ORGANIZATION_SLUG/"

Replace YOUR_API_TOKEN_HERE with your generated API token and YOUR_ORGANIZATION_SLUG with your Sentry organization's URL slug (e.g., my-company). This request retrieves information about the specified organization, provided the API token has the necessary org:read scope.

Security best practices

Securing your Sentry integration is critical to protect sensitive application data and maintain the integrity of your monitoring processes:

Least Privilege Principle: Always grant the minimum necessary permissions (scopes) to API tokens and Auth Tokens. For instance, if a token only needs to create releases, do not grant it permission to delete projects. This limits the potential impact of a compromised token.
Secure Storage: Never hardcode API tokens or Auth Tokens directly into your source code. Instead, use environment variables, secret management services (e.g., AWS Secrets Manager, Google Secret Manager), or secure configuration files. For client-side applications, ensure DSNs are not easily discoverable or manipulated, though the public key portion is designed to be exposed.
Regular Rotation: Implement a policy for regularly rotating all types of tokens. This reduces the window of opportunity for attackers if a token is inadvertently exposed.
Monitor Usage: Periodically review the activity associated with your API keys and User Auth Tokens within Sentry's audit logs. Unusual patterns or high volumes of requests from unexpected locations can indicate a compromise.
DSN Security: While DSNs include a public key for client-side SDKs, treat the entire DSN as sensitive. Ensure that Sentry SDKs are configured to transmit data over HTTPS, which is the default for all official Sentry SDKs, encrypting event data in transit.
Environment-Specific Credentials: Use separate DSNs and API tokens for different environments (development, staging, production). This prevents data from development environments polluting production monitoring and limits the blast radius if credentials for a non-production environment are compromised.
Access Control: For user accounts, enforce strong password policies and enable two-factor authentication (2FA) for all Sentry users. This adds an additional layer of security to user-based access.
Auditing and Logging: Sentry provides comprehensive audit logs. Regularly review these logs to track who performed what actions, especially for administrative changes or token creation/deletion.
Service Account Use: When integrating Sentry with automated systems, consider using dedicated service accounts with tightly scoped permissions rather than personal user accounts and their associated Auth Tokens. This provides better traceability and control.

Adhering to these best practices significantly enhances the security posture of your Sentry integrations and protects your monitoring data.

Sentry Authentication: Methods, Setup & Security (2026)

Authentication overview

Supported authentication methods

Getting your credentials

Data Source Name (DSN)

API Tokens (API Keys)

Auth Tokens (User Auth Tokens)

Authenticated request example

DSN-based SDK event ingestion

API Token-based Web API request

Security best practices

Frequently asked questions

Reviews

Discussion

Written by