DataDog · api-clients-generation-pipeline · May 12, 2026
@@ -48659,6 +48659,16 @@ components:
           description: Name of the environment variable or secret that holds the username (used when `auth_strategy` is `plain`).
           example: HTTP_AUTH_USERNAME
           type: string
+        valid_tokens:
+          description: |-
+            A list of tokens that are accepted for authenticating incoming HTTP requests. When set,
+            the source rejects any request whose token does not match an enabled entry in this list.
+            Cannot be combined with the `plain` auth strategy.
+          items:
+            $ref: "#/components/schemas/ObservabilityPipelineHttpServerSourceValidToken"
+          maxItems: 1000
+          minItems: 1
+          type: array
       required:
         - id
         - type
@@ -48684,6 +48694,55 @@ components:
       type: string
       x-enum-varnames:
         - HTTP_SERVER
+    ObservabilityPipelineHttpServerSourceValidToken:
+      description: An accepted token used to authenticate incoming HTTP server requests.
+      properties:
+        enabled:
+          default: true
+          description: |-
+            Whether this token is currently accepted. Disabled tokens are rejected without
+            being removed from the configuration.
+          example: true
+          type: boolean
+        field_to_add:
+          $ref: "#/components/schemas/ObservabilityPipelineSourceValidTokenFieldToAdd"
+        path_to_token:
+          $ref: "#/components/schemas/ObservabilityPipelineHttpServerSourceValidTokenPathToToken"
+        token_key:
+          description: Name of the environment variable or secret that holds the expected token value.
+          example: HTTP_SERVER_TOKEN
+          pattern: "^[A-Za-z0-9_]+$"
+          type: string
+      required:
+        - token_key
+      type: object
+    ObservabilityPipelineHttpServerSourceValidTokenPathToToken:
+      description: |-
+        Specifies where the worker extracts the token from in the incoming HTTP request.
+        Either a built-in location (`path` or `address`) or an HTTP header object.
+      oneOf:
+        - $ref: "#/components/schemas/ObservabilityPipelineHttpServerSourceValidTokenPathToTokenLocation"
+        - $ref: "#/components/schemas/ObservabilityPipelineHttpServerSourceValidTokenPathToTokenHeader"
+    ObservabilityPipelineHttpServerSourceValidTokenPathToTokenHeader:
+      description: Extract the token from a specific HTTP request header.
+      properties:
+        header:
+          description: The name of the HTTP header that carries the token.
+          example: X-Token
+          type: string
+      required:
+        - header
+      type: object
+    ObservabilityPipelineHttpServerSourceValidTokenPathToTokenLocation:
+      description: Built-in token location on the incoming HTTP request.
+      enum:
+        - path
+        - address
+      example: path
+      type: string
+      x-enum-varnames:
+        - PATH
+        - ADDRESS
     ObservabilityPipelineKafkaDestination:
       description: |-
         The `kafka` destination sends logs to Apache Kafka topics.
@@ -50707,6 +50766,27 @@ components:
       type: string
       x-enum-varnames:
         - SOCKET
+    ObservabilityPipelineSourceValidTokenFieldToAdd:
+      description: |-
+        An optional metadata field that is attached to every event authenticated by the
+        associated token. Both `key` and `value` must match `^[A-Za-z0-9_]+$`.
+      properties:
+        key:
+          description: The metadata field name to add to incoming events.
+          example: token_name
+          maxLength: 256
+          pattern: "^[A-Za-z0-9_]+$"
+          type: string
+        value:
+          description: The metadata field value to add to incoming events.
+          example: my_token
+          maxLength: 1024
+          pattern: "^[A-Za-z0-9_]+$"
+          type: string
+      required:
+        - key
+        - value
+      type: object
     ObservabilityPipelineSpec:
       description: Input schema representing an observability pipeline configuration. Used in create and validate requests.
       properties:
@@ -50903,6 +50983,15 @@ components:
           $ref: "#/components/schemas/ObservabilityPipelineTls"
         type:
           $ref: "#/components/schemas/ObservabilityPipelineSplunkHecSourceType"
+        valid_tokens:
+          description: |-
+            A list of tokens that are accepted for authenticating incoming HEC requests. When set, the source
+            rejects any request whose HEC token does not match an enabled entry in this list.
+          items:
+            $ref: "#/components/schemas/ObservabilityPipelineSplunkHecSourceValidToken"
+          maxItems: 1000
+          minItems: 1
+          type: array
       required:
         - id
         - type
@@ -50917,6 +51006,26 @@ components:
       type: string
       x-enum-varnames:
         - SPLUNK_HEC
+    ObservabilityPipelineSplunkHecSourceValidToken:
+      description: An accepted HEC token used to authenticate incoming Splunk HEC requests.
+      properties:
+        enabled:
+          default: true
+          description: |-
+            Whether this token is currently accepted. Disabled tokens are rejected without
+            being removed from the configuration.
+          example: true
+          type: boolean
+        field_to_add:
+          $ref: "#/components/schemas/ObservabilityPipelineSourceValidTokenFieldToAdd"
+        token_key:
+          description: Name of the environment variable or secret that holds the expected HEC token value.
+          example: SPLUNK_HEC_TOKEN
+          pattern: "^[A-Za-z0-9_]+$"
+          type: string
+      required:
+        - token_key
+      type: object
     ObservabilityPipelineSplunkTcpSource:
       description: |-
         The `splunk_tcp` source receives logs from a Splunk Universal Forwarder over TCP.

@@ -21074,6 +21074,34 @@ datadog\_api\_client.v2.model.observability\_pipeline\_http\_server\_source\_typ
    :members:
    :show-inheritance:
 
+datadog\_api\_client.v2.model.observability\_pipeline\_http\_server\_source\_valid\_token module
+------------------------------------------------------------------------------------------------
+
+.. automodule:: datadog_api_client.v2.model.observability_pipeline_http_server_source_valid_token
+   :members:
+   :show-inheritance:
+
+datadog\_api\_client.v2.model.observability\_pipeline\_http\_server\_source\_valid\_token\_path\_to\_token module
+-----------------------------------------------------------------------------------------------------------------
+
+.. automodule:: datadog_api_client.v2.model.observability_pipeline_http_server_source_valid_token_path_to_token
+   :members:
+   :show-inheritance:
+
+datadog\_api\_client.v2.model.observability\_pipeline\_http\_server\_source\_valid\_token\_path\_to\_token\_header module
+-------------------------------------------------------------------------------------------------------------------------
+
+.. automodule:: datadog_api_client.v2.model.observability_pipeline_http_server_source_valid_token_path_to_token_header
+   :members:
+   :show-inheritance:
+
+datadog\_api\_client.v2.model.observability\_pipeline\_http\_server\_source\_valid\_token\_path\_to\_token\_location module
+---------------------------------------------------------------------------------------------------------------------------
+
+.. automodule:: datadog_api_client.v2.model.observability_pipeline_http_server_source_valid_token_path_to_token_location
+   :members:
+   :show-inheritance:
+
 datadog\_api\_client.v2.model.observability\_pipeline\_kafka\_destination module
 --------------------------------------------------------------------------------
 
@@ -21949,6 +21977,13 @@ datadog\_api\_client.v2.model.observability\_pipeline\_socket\_source\_type modu
    :members:
    :show-inheritance:
 
+datadog\_api\_client.v2.model.observability\_pipeline\_source\_valid\_token\_field\_to\_add module
+--------------------------------------------------------------------------------------------------
+
+.. automodule:: datadog_api_client.v2.model.observability_pipeline_source_valid_token_field_to_add
+   :members:
+   :show-inheritance:
+
 datadog\_api\_client.v2.model.observability\_pipeline\_spec module
 ------------------------------------------------------------------
 
@@ -22026,6 +22061,13 @@ datadog\_api\_client.v2.model.observability\_pipeline\_splunk\_hec\_source\_type
    :members:
    :show-inheritance:
 
+datadog\_api\_client.v2.model.observability\_pipeline\_splunk\_hec\_source\_valid\_token module
+-----------------------------------------------------------------------------------------------
+
+.. automodule:: datadog_api_client.v2.model.observability_pipeline_splunk_hec_source_valid_token
+   :members:
+   :show-inheritance:
+
 datadog\_api\_client.v2.model.observability\_pipeline\_splunk\_tcp\_source module
 ---------------------------------------------------------------------------------
 

@@ -73,6 +73,11 @@ def __init__(self, **kwargs):
         :param username_key: Name of the environment variable or secret that holds the username (used when `auth_strategy` is `basic`).
         :type username_key: str, optional
 
+        :param valid_tokens: A list of tokens that are accepted for authenticating incoming HTTP requests. When set,
+            the source rejects any request whose token does not match an enabled entry in this list.
+            Cannot be combined with the `plain` auth strategy.
+        :type valid_tokens: [ObservabilityPipelineHttpServerSourceValidToken], optional
+
         :param bootstrap_servers_key: Name of the environment variable or secret that holds the Kafka bootstrap servers list.
         :type bootstrap_servers_key: str, optional
 

@@ -3,7 +3,7 @@
 # Copyright 2019-Present Datadog, Inc.
 from __future__ import annotations
 
-from typing import Union, TYPE_CHECKING
+from typing import List, Union, TYPE_CHECKING
 
 from datadog_api_client.model_utils import (
     ModelNormal,
@@ -22,9 +22,19 @@
     from datadog_api_client.v2.model.observability_pipeline_http_server_source_type import (
         ObservabilityPipelineHttpServerSourceType,
     )
+    from datadog_api_client.v2.model.observability_pipeline_http_server_source_valid_token import (
+        ObservabilityPipelineHttpServerSourceValidToken,
+    )
 
 
 class ObservabilityPipelineHttpServerSource(ModelNormal):
+    validations = {
+        "valid_tokens": {
+            "max_items": 1000,
+            "min_items": 1,
+        },
+    }
+
     @cached_property
     def openapi_types(_):
         from datadog_api_client.v2.model.observability_pipeline_http_server_source_auth_strategy import (
@@ -35,6 +45,9 @@ def openapi_types(_):
         from datadog_api_client.v2.model.observability_pipeline_http_server_source_type import (
             ObservabilityPipelineHttpServerSourceType,
         )
+        from datadog_api_client.v2.model.observability_pipeline_http_server_source_valid_token import (
+            ObservabilityPipelineHttpServerSourceValidToken,
+        )
 
         return {
             "address_key": (str,),
@@ -46,6 +59,7 @@ def openapi_types(_):
             "tls": (ObservabilityPipelineTls,),
             "type": (ObservabilityPipelineHttpServerSourceType,),
             "username_key": (str,),
+            "valid_tokens": ([ObservabilityPipelineHttpServerSourceValidToken],),
         }
 
     attribute_map = {
@@ -58,6 +72,7 @@ def openapi_types(_):
         "tls": "tls",
         "type": "type",
         "username_key": "username_key",
+        "valid_tokens": "valid_tokens",
     }
 
     def __init__(
@@ -71,6 +86,7 @@ def __init__(
         password_key: Union[str, UnsetType] = unset,
         tls: Union[ObservabilityPipelineTls, UnsetType] = unset,
         username_key: Union[str, UnsetType] = unset,
+        valid_tokens: Union[List[ObservabilityPipelineHttpServerSourceValidToken], UnsetType] = unset,
         **kwargs,
     ):
         """
@@ -104,6 +120,11 @@ def __init__(
 
         :param username_key: Name of the environment variable or secret that holds the username (used when ``auth_strategy`` is ``plain`` ).
         :type username_key: str, optional
+
+        :param valid_tokens: A list of tokens that are accepted for authenticating incoming HTTP requests. When set,
+            the source rejects any request whose token does not match an enabled entry in this list.
+            Cannot be combined with the ``plain`` auth strategy.
+        :type valid_tokens: [ObservabilityPipelineHttpServerSourceValidToken], optional
         """
         if address_key is not unset:
             kwargs["address_key"] = address_key
@@ -115,6 +136,8 @@ def __init__(
             kwargs["tls"] = tls
         if username_key is not unset:
             kwargs["username_key"] = username_key
+        if valid_tokens is not unset:
+            kwargs["valid_tokens"] = valid_tokens
         super().__init__(kwargs)
 
         self_.auth_strategy = auth_strategy

@@ -0,0 +1,95 @@
+# Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
+# This product includes software developed at Datadog (https://www.datadoghq.com/).
+# Copyright 2019-Present Datadog, Inc.
+from __future__ import annotations
+
+from typing import Union, TYPE_CHECKING
+
+from datadog_api_client.model_utils import (
+    ModelNormal,
+    cached_property,
+    unset,
+    UnsetType,
+)
+
+
+if TYPE_CHECKING:
+    from datadog_api_client.v2.model.observability_pipeline_source_valid_token_field_to_add import (
+        ObservabilityPipelineSourceValidTokenFieldToAdd,
+    )
+    from datadog_api_client.v2.model.observability_pipeline_http_server_source_valid_token_path_to_token import (
+        ObservabilityPipelineHttpServerSourceValidTokenPathToToken,
+    )
+    from datadog_api_client.v2.model.observability_pipeline_http_server_source_valid_token_path_to_token_header import (
+        ObservabilityPipelineHttpServerSourceValidTokenPathToTokenHeader,
+    )
+
+
+class ObservabilityPipelineHttpServerSourceValidToken(ModelNormal):
+    validations = {
+        "token_key": {},
+    }
+
+    @cached_property
+    def openapi_types(_):
+        from datadog_api_client.v2.model.observability_pipeline_source_valid_token_field_to_add import (
+            ObservabilityPipelineSourceValidTokenFieldToAdd,
+        )
+        from datadog_api_client.v2.model.observability_pipeline_http_server_source_valid_token_path_to_token import (
+            ObservabilityPipelineHttpServerSourceValidTokenPathToToken,
+        )
+
+        return {
+            "enabled": (bool,),
+            "field_to_add": (ObservabilityPipelineSourceValidTokenFieldToAdd,),
+            "path_to_token": (ObservabilityPipelineHttpServerSourceValidTokenPathToToken,),
+            "token_key": (str,),
+        }
+
+    attribute_map = {
+        "enabled": "enabled",
+        "field_to_add": "field_to_add",
+        "path_to_token": "path_to_token",
+        "token_key": "token_key",
+    }
+
+    def __init__(
+        self_,
+        token_key: str,
+        enabled: Union[bool, UnsetType] = unset,
+        field_to_add: Union[ObservabilityPipelineSourceValidTokenFieldToAdd, UnsetType] = unset,
+        path_to_token: Union[
+            ObservabilityPipelineHttpServerSourceValidTokenPathToToken,
+            str,
+            ObservabilityPipelineHttpServerSourceValidTokenPathToTokenHeader,
+            UnsetType,
+        ] = unset,
+        **kwargs,
+    ):
+        """
+        An accepted token used to authenticate incoming HTTP server requests.
+
+        :param enabled: Whether this token is currently accepted. Disabled tokens are rejected without
+            being removed from the configuration.
+        :type enabled: bool, optional
+
+        :param field_to_add: An optional metadata field that is attached to every event authenticated by the
+            associated token. Both ``key`` and ``value`` must match ``^[A-Za-z0-9_]+$``.
+        :type field_to_add: ObservabilityPipelineSourceValidTokenFieldToAdd, optional
+
+        :param path_to_token: Specifies where the worker extracts the token from in the incoming HTTP request.
+            Either a built-in location ( ``path`` or ``address`` ) or an HTTP header object.
+        :type path_to_token: ObservabilityPipelineHttpServerSourceValidTokenPathToToken, optional
+
+        :param token_key: Name of the environment variable or secret that holds the expected token value.
+        :type token_key: str
+        """
+        if enabled is not unset:
+            kwargs["enabled"] = enabled
+        if field_to_add is not unset:
+            kwargs["field_to_add"] = field_to_add
+        if path_to_token is not unset:
+            kwargs["path_to_token"] = path_to_token
+        super().__init__(kwargs)
+
+        self_.token_key = token_key