Mint a new Prometheus scrape token
POST /api/integrations/prometheus-tokens
Generates a new bearer scrape token for the Prometheus exposition
endpoint. The cleartext token value is returned EXACTLY ONCE in
the response token field — it is never recoverable. Database
stores only the SHA-256 hex of the token.
Token format: dpiprom_<base64url-32-bytes>. The dpiprom_
prefix is intended for leak detection (GitHub secret scanning,
grep audits).
Admin role required (D-24). Only admins mint scrape tokens; the tokens themselves confer viewer-tier read access to the Prometheus endpoint and nothing else.
Audit event scrape_token_created is emitted on success.
Authorizations
Section titled “Authorizations ”Request Body required
Section titled “Request Body required ”Parameters for minting a new Prometheus scrape token.
object
Operator-facing label for the token (e.g. “Production Prometheus”).
Optional expiry. Omit the field (or send an empty zero-time) for no expiry. When set, the token is rejected after this instant (PrometheusScrapeAuth checks expires_at on every scrape).
Responses
Section titled “ Responses ”Token created. The cleartext token value is returned ONCE.
Newly minted Prometheus scrape token. The token field carries the
cleartext value and is returned exactly once. Store it now — the
database keeps only the SHA-256 hash.
object
Token row id.
Operator-facing label.
Cleartext token value. Returned ONCE here, never again. Format
dpiprom_<base64url-32-bytes>. Use as the bearer in the
Authorization header against /api/metrics/prometheus.
Token creation timestamp.
Optional expiry. Field is omitted when the token has no expiry.
The request body or parameters failed validation.
Standardised error envelope per RFC 7807. Many existing endpoints still
return an older shape (e.g. {"error": "..."}). This schema documents the
target shape; legacy endpoints will be migrated in Phase 70. Per D-21 the
spec describes current behaviour without enforcing the migration here.
object
A URI reference that identifies the problem type.
A short human-readable summary of the problem.
The HTTP status code generated by the origin server.
A human-readable explanation specific to this occurrence.
A URI reference that identifies the specific occurrence.
Legacy error message field. Will be removed once handlers are migrated.
Legacy per-field error details. Will be removed once handlers are migrated.
object
The request id middleware-assigned identifier for tracing.
Authentication is required or the supplied token is invalid.
Standardised error envelope per RFC 7807. Many existing endpoints still
return an older shape (e.g. {"error": "..."}). This schema documents the
target shape; legacy endpoints will be migrated in Phase 70. Per D-21 the
spec describes current behaviour without enforcing the migration here.
object
A URI reference that identifies the problem type.
A short human-readable summary of the problem.
The HTTP status code generated by the origin server.
A human-readable explanation specific to this occurrence.
A URI reference that identifies the specific occurrence.
Legacy error message field. Will be removed once handlers are migrated.
Legacy per-field error details. Will be removed once handlers are migrated.
object
The request id middleware-assigned identifier for tracing.
Forbidden — admin role required.
Standardised error envelope per RFC 7807. Many existing endpoints still
return an older shape (e.g. {"error": "..."}). This schema documents the
target shape; legacy endpoints will be migrated in Phase 70. Per D-21 the
spec describes current behaviour without enforcing the migration here.
object
A URI reference that identifies the problem type.
A short human-readable summary of the problem.
The HTTP status code generated by the origin server.
A human-readable explanation specific to this occurrence.
A URI reference that identifies the specific occurrence.
Legacy error message field. Will be removed once handlers are migrated.
Legacy per-field error details. Will be removed once handlers are migrated.
object
The request id middleware-assigned identifier for tracing.
Internal server error
Standardised error envelope per RFC 7807. Many existing endpoints still
return an older shape (e.g. {"error": "..."}). This schema documents the
target shape; legacy endpoints will be migrated in Phase 70. Per D-21 the
spec describes current behaviour without enforcing the migration here.
object
A URI reference that identifies the problem type.
A short human-readable summary of the problem.
The HTTP status code generated by the origin server.
A human-readable explanation specific to this occurrence.
A URI reference that identifies the specific occurrence.
Legacy error message field. Will be removed once handlers are migrated.
Legacy per-field error details. Will be removed once handlers are migrated.
object
The request id middleware-assigned identifier for tracing.