topic Re: Workflow in Automations

Workflow - fetch Apigee proxy metadata in JSON format and persist the data into Grail

tmehta3 — Mon, 11 May 2026 12:08:44 GMT

Hi ,

We are working on a Dynatrace workflow to fetch Apigee proxy metadata in JSON format and persist the data into Grail after converting it via a JavaScript step into the BizEvents format. While setting this up, we have a few doubts and would appreciate clarity:

Since BizEvents ingestion requires write access to Grail, our infrastructure team is planning to create service accounts instead of granting direct access to each user. Will this approach work reliably, given that it requires generating tokens (PATs) which have expiry dates? Could this lead to ingestion failures if tokens expire?
If service accounts are used, will the same PAT be shared among all team members for persisting BizEvents into Grail, or should each member have their own PAT?
Currently, this setup is only for staging. When we move to production, how should we handle token management and rotation securely?
Is there any simpler or recommended alternative to this approach for interacting with Grail, especially for long‑running workflows?

We’d appreciate best practices or guidance from anyone who has implemented BizEvents ingestion with service accounts and PATs.

Thanks in advance!

Re: Workflow

tmehta3 — Mon, 11 May 2026 10:46:34 GMT

Hi @MaximilianoML can u provide some valuable inputs on these.

Re: Workflow

michiel_otten — Mon, 11 May 2026 11:09:31 GMT

Hi there,

As an answer to your question:

1. using PATs (Personal Access Tokens) for long-running workflows can become operationally difficult because PATs expire and require manual rotation. If a PAT expires and is not updated in time, the ingestion workflow will fail until the token is renewed.
2. If PATs are still used, they should ideally belong to a dedicated service account rather than an individual user account. In that case, the workflow/team would typically use the same PAT associated with that service identity, but this still introduces token lifecycle management overhead.
3. PAT's need to be renewed manually. You could also switch to normal tokens (not PAT). You could script the token renewal process.
4. Wouldn't it be more sufficient to use a service user here? If the service user has the right access rights (which you can scope via IAM), you could simple ingest BizEvents without generating extra tokens. The workflow would run under the service user as the "actor". You would remove the need for tokens in general. If for what reason you would need API tokens, you could created OAuth credentials for the service user.

Re: Workflow

MaximilianoML — Mon, 11 May 2026 13:38:56 GMT

Hi @tmehta3 and @michiel_otten!

I agree with what @michiel_otten said 😄