DigitalOcean Workloads
DigitalOcean Workloads integration allows your product to fetch, list, and monitor deployed workloads (Droplets, Kubernetes clusters, Apps, and Databases) from a user's DigitalOcean account.
This integration is especially useful for asset inventory, security posture assessment, and cloud resource visibility across compute and managed services running on DigitalOcean.
Credentials Needed
To connect to the DigitalOcean API, you need a Personal Access Token (PAT) or OAuth Token with read permissions.
Required credentials:
- DigitalOcean Personal Access Token (PAT)
Optional (for organization-level access):
- Organization UUID
A Personal Access Token gives API access to all resources under the authenticated account. Always generate it with read-only scope for safer integrations.
Permissions Needed / API Scopes
DigitalOcean uses token scopes to control what operations an API token can perform.
| Permission | Scope | Description |
|---|---|---|
| read | read | Allows reading all account resources (workloads, droplets, clusters, databases, etc.) |
| write | write | Allows creation or deletion of resources (avoid for security integrations) |
For workload discovery and monitoring, only the read scope is required.
Creating Users / Access Tokens
Step 1: Generate a Personal Access Token
- Log in to your DigitalOcean Dashboard: https://cloud.digitalocean.com/account/api/
- Under the API section, click Generate New Token.
- Give your token a descriptive name (e.g., WorkloadsIntegrationToken).
- Select Read scope only.
- Click Generate Token.
- Copy and securely store your Personal Access Token — it will only be shown once.
Test Connectivity
You can verify your credentials using curl or any HTTP client:
List All Workloads (Droplets, Apps, Clusters)
curl -X GET "https://api.digitalocean.com/v2/droplets" \
-H "Authorization: Bearer <DIGITALOCEAN_API_TOKEN>"
Example Response:
{
"droplets": [
{
"id": 123456789,
"name": "web-server-1",
"memory": 2048,
"vcpus": 2,
"region": {"slug": "nyc3"},
"status": "active",
"networks": {
"v4": [{"ip_address": "104.131.10.20", "type": "public"}]
},
"tags": ["production", "web"]
}
]
}
You can also list other workload types:
List Kubernetes Clusters
curl -X GET "https://api.digitalocean.com/v2/kubernetes/clusters" \
-H "Authorization: Bearer <DIGITALOCEAN_API_TOKEN>"
List Databases
curl -X GET "https://api.digitalocean.com/v2/databases" \
-H "Authorization: Bearer <DIGITALOCEAN_API_TOKEN>"
List Apps (App Platform)
curl -X GET "https://api.digitalocean.com/v2/apps" \
-H "Authorization: Bearer <DIGITALOCEAN_API_TOKEN>"
If you receive valid JSON responses with workload details, your credentials are correctly configured.
Save the Results in the Platform and Create Connection
In your product's integration setup, securely store:
- DIGITALOCEAN_API_TOKEN
Label the connection as DigitalOcean Workloads Integration.
On successful connection, fetch and display workloads using the following API endpoints:
- /v2/droplets (Compute workloads)
- /v2/kubernetes/clusters (Container workloads)
- /v2/databases (Managed databases)
- /v2/apps (App platform workloads)
Periodically refresh workload data for continuous visibility.
Best Practices
- Use read-only tokens for workload discovery — avoid write permissions.
- Store tokens securely using your platform's encrypted secret manager.
- Rotate tokens every 90 days and revoke unused ones.
- Respect API rate limits (typically 5,000 requests/hour per token).
- Use pagination (?per_page=200&page=n) for large environments.
- Tag resources in DigitalOcean for better categorization and grouping in your platform.
- Collect associated metadata such as:
- Droplet IDs, IPs, Region, Status, Tags
- Kubernetes node counts and versions
- App Platform build/instance types
- Database engine, version, region
- Use the DigitalOcean Monitoring API for collecting performance metrics if needed.
- Integrate Cloud Firewall and Load Balancer APIs for enhanced security context.