Skip to main content
This guide walks through adding Datadog as a remote MCP server in TrueFoundry using the built-in Connect Official Remote MCP Servers catalogue, which comes pre-configured with Dynamic Client Registration (DCR) OAuth2. Datadog’s remote MCP server lets agents query logs, metrics, traces, monitors, dashboards, and incidents.
Datadog is region and site specific (US1, US3, US5, EU, AP1, AP2, and others). The MCP server URL and every OAuth2 endpoint must match your organization’s actual Datadog site. Mixing sites is the most common cause of a failed connection. See the region reference table below.

How TrueFoundry Manages the MCP Server

TrueFoundry’s MCP Gateway acts as a reverse proxy between your agents and Datadog’s remote MCP server. When you register it, TrueFoundry handles:
  • Authentication: Each user connects with their own Datadog account through OAuth2 with PKCE. Because Datadog supports Dynamic Client Registration, TrueFoundry registers the OAuth client automatically. No manually created OAuth app is required.
  • Tool-level access control: You can selectively enable or disable individual tools (for example, disable the write and destructive tools) per team from the TrueFoundry UI.
  • Audit trail: Every tool invocation is traced with the calling user, tool name, input payload, and latency. Traces export via OpenTelemetry to your observability stack.
  • Guardrails: TrueFoundry’s guardrail hooks apply at mcp_pre_tool (before a tool is invoked) and mcp_post_tool (after the tool returns), letting you enforce content policies on requests and responses in real time.

Prerequisites

  • A TrueFoundry account with permission to add MCP servers.
  • A Datadog account or org with MCP Access and MCP Write Access enabled (Organization Settings → Preferences). Government sites are not supported by Datadog’s hosted MCP server.
  • Your Datadog site (for example, us5.datadoghq.com, datadoghq.com, or datadoghq.eu).
  • The required Datadog permissions on your user: mcp_read, and mcp_write if you want write operations.

Register Datadog in TrueFoundry

1

Start adding a new MCP Server

Navigate to MCP Servers in the TrueFoundry sidebar and click Add new MCP Server. Select Connect Official Remote MCP Servers, which gives access to pre-vetted servers (GitHub, Sentry, Atlassian, Figma, Datadog, and more) with auth already templated.
Add new MCP Server picker with the Connect Official Remote MCP Servers option highlighted
2

Search for and select Datadog

In the catalogue search, type “data” (or “datadog”) to find the Datadog entry. Click the datadog card (“Query and investigate Datadog telemetry, metrics, and incidents”).
Official remote MCP catalogue search filtered to 'data' showing the datadog card alongside medidata, ramp-data, cdata-connect-ai, and the databricks entries
3

Fill in server details and set the region in the URL

TrueFoundry pre-fills the Name, Description, and URL fields for Datadog. The URL comes with a <region> placeholder that must be replaced with your actual Datadog site subdomain. Add yourself or your team under Collaborators with the MCP Server Manager role.
Add new MCP Server form showing Name datadog, the description, the URL field with a region placeholder, Collaborators, and the Auth Data toggle set to OAuth2
Replace <region> with your site prefix. Examples:
Datadog SiteURL to use
US1 (default)https://mcp.datadoghq.com/api/unstable/mcp-server/mcp?toolsets=all
US5https://mcp.us5.datadoghq.com/api/unstable/mcp-server/mcp?toolsets=all
EUhttps://mcp.datadoghq.eu/api/unstable/mcp-server/mcp?toolsets=all
4

Confirm OAuth2 / DCR auth details

Datadog’s MCP server supports Dynamic Client Registration, so TrueFoundry can auto-populate the OAuth2 endpoints. Click Refetch OAuth2 details if the fields are empty or you want to reset them. Leave Client ID and Client Secret blank, since DCR issues these automatically at connection time.
OAuth2 config panel showing the Dynamic Client Registration banner, Refetch OAuth2 details button, Grant Type Authorization Code, Authorization URL, Token URL, Registration URL, and Code Challenge Methods Supported set to S256
Region consistency: the MCP server url, authorization_url, token_url, and registration_url must all use the same Datadog site. Mixing the generic datadoghq.com (US1) host with a non-US1 org is the most common cause of a generic “Authentication failed” or server_error at the token-exchange step.
Reference YAML (US5 example):
auth_data:
  type: oauth2
  grant_type: authorization_code
  authorization_url: https://us5.datadoghq.com/oauth2/v1/authorize
  token_url: https://us5.datadoghq.com/oauth2/v1/token
  registration_url: https://us5.datadoghq.com/api/v2/oauth2/register
  jwt_source: access_token
  code_challenge_methods_supported:
    - S256
5

Allow-list the TrueFoundry redirect URL in Datadog

In your Datadog org, go to Organization Settings → Preferences and, under MCP OAuth Redirect URLs, add TrueFoundry’s OAuth callback URL so Datadog accepts the redirect after authorization.
Datadog Organization Settings showing MCP Access and MCP Write Access enabled and the MCP OAuth Redirect URLs section with the Add URL field
Also confirm at the top of this page that:
  • MCP Access is Enabled.
  • MCP Write Access is Enabled (if write tools are needed).
  • The Site shown top-right matches the region you used in the previous steps (for example, Site: us5.datadoghq.com).
6

Complete the OAuth authorization flow

Save the MCP Server in TrueFoundry, then open the server’s Tools tab and click Connect Now. You’ll be redirected to Datadog’s consent screen. Review the requested permissions and click Authorize as your Datadog user.
Datadog Authorize access screen listing the sensitive permissions the MCP client requests and the total permission count
7

Verify the available tools

Once authorized, you land back on the MCP Server detail page in TrueFoundry, showing the connected Datadog server with a Remote tag, Auth Type OAuth2, and its full tool list. Read-only tools are labelled accordingly, and write tools are marked Destructive. Each tool has a Try button so you can test it before wiring it into an agent.
Connected Datadog MCP server detail page showing OAuth2 auth and the Tools tab listing tools such as aggregate_events, aggregate_spans, analyze_datadog_logs, create_datadog_notebook, get_datadog_dashboard, and get_datadog_incident
At this point the Datadog MCP server is connected and its tools are available to any agent using this TrueFoundry gateway endpoint.

Region reference table

RegionSite domainMCP URL pattern
US1datadoghq.commcp.datadoghq.com
US3us3.datadoghq.commcp.us3.datadoghq.com
US5us5.datadoghq.commcp.us5.datadoghq.com
EUdatadoghq.eumcp.datadoghq.eu
AP1ap1.datadoghq.commcp.ap1.datadoghq.com
AP2ap2.datadoghq.commcp.ap2.datadoghq.com

Security Notes

Datadog MCP permissions do not grant resource access by themselves; they only unlock the MCP surface on top of the user’s existing Datadog role. Each user operates with their existing Datadog permissions. Keep MCP Write Access disabled for general access unless write tools are required.

References

Next Steps

MCP Gateway Overview

Learn how the TrueFoundry MCP Gateway centralizes access, auth, and observability for all your MCP servers.

MCP Gateway Getting Started

Add MCP servers and use them in the AI Gateway playground and IDEs.

Datadog MCP documentation

Reference for Datadog’s remote MCP server, toolsets, and permissions.

MCP Gateway Security

Configure authentication and guardrails on your MCP servers.