Resources/The Agent API Atlas/Developer/DigitalOcean

Everything an AI agent can do with the DigitalOcean API.

A reference guide for building AI agents: every method, how to authenticate, and the permissions each one needs.

Endpoints48

API versionv2

Last updated23 June 2026

Orientation

How the DigitalOcean API works.

The DigitalOcean API is how an app or AI agent works with a DigitalOcean account: listing and creating Droplets, rebooting or resizing a server, spinning up Kubernetes clusters and databases, and editing domains and DNS records. Access is granted through a token whose scopes decide what each call can do, each a resource and action pair like reading Droplets or creating a firewall, and an agent is limited to exactly the scopes its token carries. There is one continuously updated version, and long-running work runs as actions an agent polls until they finish.

48Endpoints

13Capability groups

23Read

25Write

35Permissions

Authentication

Every call needs a token sent as 'Authorization: Bearer ' over HTTPS. A token is either a personal access token, carrying the dop_v1_ prefix, or an OAuth 2.0 token obtained on behalf of a user, carrying the doo_v1_ prefix. There is no unauthenticated access to the API.

Permissions

A personal access token carries scopes, each a resource:action pair such as droplet:read, droplet:create, kubernetes:delete, or domain:update. Custom scopes grant only the chosen permissions for least-privilege access, while the alias scopes api:read (Read Only) and api:write (Full Access) cover all reads or everything and expand to new endpoints automatically. Scopes cannot be edited after a token is created, so a new token is needed to change them. Some Droplet actions need a second scope, such as image:create to take a snapshot.

Versioning

The API is served at the v2 path as a single, continuously updated version. There is no dated version header to pin, unlike some APIs, so an integration tracks the release notes for changes rather than opting into a version. The v2 API left beta in 2015, replacing the retired v1.

Data model

The API is resource-oriented JSON over HTTPS at https://api.digitalocean.com/v2. Resources include Droplets, Kubernetes clusters, managed databases, domains and their DNS records, load balancers, volumes, snapshots, firewalls, App Platform apps, projects, Spaces keys, and the account. Long-running work, such as rebooting or resizing a Droplet, runs as an asynchronous action whose status is polled on the actions endpoint.

Connect & authenticate

Connection & authentication methods.

How an app or AI agent connects to DigitalOcean determines what it can reach. There is a route for making calls and a hosted server that exposes DigitalOcean tools to agents, and each is governed by the token behind it and the scopes that token carries.

Ways to connect

REST API

The REST API answers at https://api.digitalocean.com/v2. It is a single, continuously updated version, with no dated version header to pin.

Best forConnecting an app or AI agent to DigitalOcean.

Governed byThe token and the scopes it carries.

Docs ↗

MCP server (Model Context Protocol)

DigitalOcean's official MCP server lets an agent call DigitalOcean through the Model Context Protocol. Remote endpoints are per service under mcp.digitalocean.com, such as https://droplets.mcp.digitalocean.com/mcp, and authenticate with a DigitalOcean API token. A local server is published as the npm package @digitalocean/mcp, with source at github.com/digitalocean-labs/mcp-digitalocean.

Best forConnecting an app or AI agent to DigitalOcean.

Governed byThe token and the scopes it carries.

Docs ↗

Authentication

Personal access token with custom scopes

A personal access token with custom scopes grants only the chosen permissions, each a resource:action pair such as droplet:read or droplet:create. It is the least-privilege choice, and the scopes cannot be changed after the token is created.

TokenPersonal access token (dop_v1_ prefix)

Best forLeast-privilege access to specific resources and actions

Docs ↗

Personal access token, Read Only or Full Access

A personal access token created as Read Only carries the api:read alias scope, and one created as Full Access carries api:write. These alias scopes expand to cover new endpoints automatically, so they grant more than a fixed list of custom scopes.

TokenPersonal access token (dop_v1_ prefix)

Best forQuick setup where fine-grained scoping is not needed

Docs ↗

OAuth 2.0 application

An OAuth 2.0 app obtains a token on behalf of a DigitalOcean user through the standard authorization flow, suited to a product that connects to many users' accounts. Tokens carry the doo_v1_ prefix and refresh tokens the dor_v1_ prefix.

TokenOAuth user token (doo_v1_ prefix)

Best forProducts that connect to many users' DigitalOcean accounts

3 endpoints

List Spaces access keys, create a key, and delete a key.

A Spaces access key is an S3-compatible credential to object storage; creating one mints new storage credentials.

View endpoints →

Account

1 endpoint

Read the account behind the token, including its email, status, and resource limits.

Reads here return the account holder's email and limits.

View endpoints →

Endpoint reference

Every DigitalOcean API method.

Filter by method, access, or permission, or search any path. Select a row for version detail, rate limits, the related webhook event, and the source.

Hide deprecated

Method	Endpoint	What it does	Access	Permission	Version
Droplets List Droplets, read a single Droplet, create a Droplet, delete a Droplet, and read its backups and snapshots.5
GET	`/v2/droplets`	List the Droplets on the account.	read	`droplet:read`	Current
The alias scope api:read (Read Only) also covers this. A legacy read token works too. Acts ondroplet Permission (capability)`droplet:read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/v2/droplets/{droplet_id}`	Retrieve a single Droplet by its ID.	read	`droplet:read`	Current
The alias scope api:read also covers this. Acts ondroplet Permission (capability)`droplet:read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/v2/droplets`	Create one or more new Droplets.	write	`droplet:create`	Current
Creating a Droplet starts hourly billing. The alias scope api:write (Full Access) also covers this. Acts ondroplet Permission (capability)`droplet:create` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
DELETE	`/v2/droplets/{droplet_id}`	Delete a Droplet, destroying the server.	write	`droplet:delete`	Current
Deleting by tag with DELETE /v2/droplets?tag_name=value also needs tag:read. Acts ondroplet Permission (capability)`droplet:delete` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/v2/droplets/{droplet_id}/snapshots`	List the snapshots taken of a Droplet.	read	`droplet:read`	Current
Backups, kernels, and firewalls for a Droplet read with the same droplet:read scope. Acts ondroplet Permission (capability)`droplet:read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Droplet actions List the actions taken on a Droplet, read a single action, and initiate an action such as reboot, power off, power on, or snapshot.3
GET	`/v2/droplets/{droplet_id}/actions`	List the actions taken on a Droplet.	read	`droplet:read`	Current
The alias scope api:read also covers this. Acts ondroplet action Permission (capability)`droplet:read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/v2/droplets/{droplet_id}/actions/{action_id}`	Retrieve a single Droplet action to check its status.	read	`droplet:read`	Current
An action runs asynchronously, so its status is polled here until it completes. Acts ondroplet action Permission (capability)`droplet:read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/v2/droplets/{droplet_id}/actions`	Initiate an action on a Droplet, such as reboot, power off, power on, or snapshot.	write	`droplet:update`	Current
Most actions need droplet:update. Some need a second scope: snapshot also needs image:create, resize also needs droplet:create, and restore, rebuild, and password_reset also need droplet:admin. Acts ondroplet action Permission (capability)`droplet:update` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Kubernetes clusters List Kubernetes clusters, read a single cluster, create a cluster, and delete a cluster.4
GET	`/v2/kubernetes/clusters`	List the Kubernetes clusters on the account.	read	`kubernetes:read`	Current
Fetching a cluster's kubeconfig uses kubernetes:access_cluster, which returns a credential with read-only Kubernetes access. Acts onkubernetes cluster Permission (capability)`kubernetes:read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/v2/kubernetes/clusters/{cluster_id}`	Retrieve a single Kubernetes cluster by its ID.	read	`kubernetes:read`	Current
The alias scope api:read also covers this. Acts onkubernetes cluster Permission (capability)`kubernetes:read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/v2/kubernetes/clusters`	Create a new Kubernetes cluster.	write	`kubernetes:create`	Current
Creating a cluster starts billing on the node pools. Acts onkubernetes cluster Permission (capability)`kubernetes:create` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
DELETE	`/v2/kubernetes/clusters/{cluster_id}`	Delete a Kubernetes cluster.	write	`kubernetes:delete`	Current
Deleting a cluster destroys its nodes and the workloads running on them. Acts onkubernetes cluster Permission (capability)`kubernetes:delete` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Databases List managed database clusters, read a single cluster, and create a cluster.3
GET	`/v2/databases`	List the managed database clusters on the account.	read	`database:read`	Current
Reading a cluster's connection credentials uses the separate database:view_credentials scope. Acts ondatabase cluster Permission (capability)`database:read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/v2/databases/{database_cluster_id}`	Retrieve a single managed database cluster by its ID.	read	`database:read`	Current
The alias scope api:read also covers this. Acts ondatabase cluster Permission (capability)`database:read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/v2/databases`	Create a new managed database cluster.	write	`database:create`	Current
Creating a cluster starts billing on the chosen engine, size, and node count. Acts ondatabase cluster Permission (capability)`database:create` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Domains & DNS List and read domains, create and delete a domain, and list, create, update, and delete the DNS records inside a domain.7
GET	`/v2/domains`	List the domains managed on the account.	read	`domain:read`	Current
The alias scope api:read also covers this. Acts ondomain Permission (capability)`domain:read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/v2/domains`	Add a new domain to the account for DigitalOcean to manage DNS.	write	`domain:create`	Current
Passing an ip_address creates an A record for the domain automatically. Acts ondomain Permission (capability)`domain:create` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
DELETE	`/v2/domains/{domain_name}`	Remove a domain and its DNS records from the account.	write	`domain:delete`	Current
Removing a domain drops every DNS record under it. Acts ondomain Permission (capability)`domain:delete` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/v2/domains/{domain_name}/records`	List the DNS records in a domain.	read	`domain:read`	Current
The alias scope api:read also covers this. Acts ondns record Permission (capability)`domain:read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/v2/domains/{domain_name}/records`	Create a DNS record in a domain, such as an A, CNAME, MX, or TXT record.	write	`domain:create`	Current
Adding or changing records steers where the domain's traffic goes. Acts ondns record Permission (capability)`domain:create` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
PUT	`/v2/domains/{domain_name}/records/{domain_record_id}`	Update an existing DNS record in a domain.	write	`domain:update`	Current
PATCH on the same path also updates a record and uses domain:update. Acts ondns record Permission (capability)`domain:update` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
DELETE	`/v2/domains/{domain_name}/records/{domain_record_id}`	Delete a DNS record from a domain.	write	`domain:delete`	Current
Deleting a record can take part of the domain's traffic offline. Acts ondns record Permission (capability)`domain:delete` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Load balancers List load balancers, read a single load balancer, create one, and delete one.4
GET	`/v2/load_balancers`	List the load balancers on the account.	read	`load_balancer:read`	Current
The alias scope api:read also covers this. Acts onload balancer Permission (capability)`load_balancer:read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/v2/load_balancers/{lb_id}`	Retrieve a single load balancer by its ID.	read	`load_balancer:read`	Current
The alias scope api:read also covers this. Acts onload balancer Permission (capability)`load_balancer:read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/v2/load_balancers`	Create a new load balancer.	write	`load_balancer:create`	Current
Creating a load balancer starts billing and routes traffic to the chosen Droplets. Acts onload balancer Permission (capability)`load_balancer:create` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
DELETE	`/v2/load_balancers/{lb_id}`	Delete a load balancer.	write	`load_balancer:delete`	Current
Deleting a load balancer drops the traffic routing it provided. Acts onload balancer Permission (capability)`load_balancer:delete` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Volumes List block storage volumes, read a single volume, create a volume, and delete a volume.3
GET	`/v2/volumes`	List the block storage volumes on the account.	read	`block_storage:read`	Current
The alias scope api:read also covers this. Acts onvolume Permission (capability)`block_storage:read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/v2/volumes`	Create a new block storage volume.	write	`block_storage:create`	Current
A volume can be 1 GiB to 16 TiB and starts billing once created. Acts onvolume Permission (capability)`block_storage:create` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
DELETE	`/v2/volumes/{volume_id}`	Delete a block storage volume.	write	`block_storage:delete`	Current
Deleting a volume destroys the data on it. Deleting by name uses DELETE /v2/volumes?name=NAME®ion=REGION. Acts onvolume Permission (capability)`block_storage:delete` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Snapshots List saved snapshots of Droplets and volumes, read a single snapshot, and delete a snapshot.3
GET	`/v2/snapshots`	List the saved snapshots of Droplets and volumes on the account.	read	`snapshot:read`	Current
The resource_type query parameter filters to droplet or volume snapshots. Acts onsnapshot Permission (capability)`snapshot:read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/v2/snapshots/{snapshot_id}`	Retrieve a single snapshot by its ID.	read	`snapshot:read`	Current
The alias scope api:read also covers this. Acts onsnapshot Permission (capability)`snapshot:read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
DELETE	`/v2/snapshots/{snapshot_id}`	Delete a snapshot.	write	`snapshot:delete`	Current
Deleting a snapshot removes a saved restore point. Acts onsnapshot Permission (capability)`snapshot:delete` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Firewalls List cloud firewalls, read a single firewall, create a firewall, and delete one.4
GET	`/v2/firewalls`	List the cloud firewalls on the account.	read	`firewall:read`	Current
The alias scope api:read also covers this. Acts onfirewall Permission (capability)`firewall:read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/v2/firewalls`	Create a cloud firewall with inbound and outbound access rules.	write	`firewall:create`	Current
The request must contain at least one inbound or outbound rule. Acts onfirewall Permission (capability)`firewall:create` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
PUT	`/v2/firewalls/{firewall_id}`	Update a cloud firewall by sending its complete representation.	write	`firewall:update`	Current
Any attribute left out of the request resets to its default, so the full firewall must be sent. Changing rules changes which traffic reaches the Droplets behind it. Acts onfirewall Permission (capability)`firewall:update` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
DELETE	`/v2/firewalls/{firewall_id}`	Delete a cloud firewall.	write	`firewall:delete`	Current
Deleting a firewall removes the traffic rules protecting its Droplets. Acts onfirewall Permission (capability)`firewall:delete` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Apps (App Platform) List apps, read a single app, create an app, create a deployment, and delete an app.5
GET	`/v2/apps`	List the apps on the account running on App Platform.	read	`app:read`	Current
The alias scope api:read also covers this. Acts onapp Permission (capability)`app:read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/v2/apps/{id}`	Retrieve a single App Platform app by its ID.	read	`app:read`	Current
Reading an app's live logs uses the same app:read scope. Acts onapp Permission (capability)`app:read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/v2/apps`	Create a new App Platform app from a spec.	write	`app:create`	Current
Creating an app builds and runs code, and starts billing on its components. Acts onapp Permission (capability)`app:create` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/v2/apps/{id}/deployments`	Start a new deployment of an app, shipping the latest build to production.	write	`app:update`	Current
A deployment rolls new code live for the app. Acts onapp Permission (capability)`app:update` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
DELETE	`/v2/apps/{id}`	Delete an App Platform app.	write	`app:delete`	Current
Deleting an app takes its running services offline. Acts onapp Permission (capability)`app:delete` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Projects List projects, read a single project, and create a project.3
GET	`/v2/projects`	List the projects on the account.	read	`project:read`	Current
The alias scope api:read also covers this. Acts onproject Permission (capability)`project:read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/v2/projects/{project_id}`	Retrieve a single project by its ID.	read	`project:read`	Current
The alias scope api:read also covers this. Acts onproject Permission (capability)`project:read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/v2/projects`	Create a new project to group resources on the account.	write	`project:create`	Current
A project organizes resources but does not itself start billing. Acts onproject Permission (capability)`project:create` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Spaces keys List Spaces access keys, create a key, and delete a key.3
GET	`/v2/spaces/keys`	List the Spaces access keys on the account.	read	`spaces_key:read`	Current
A Spaces access key is an S3-compatible credential for object storage. The secret is shown only once, at creation. Acts onspaces key Permission (capability)`spaces_key:read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/v2/spaces/keys`	Create a new Spaces access key for S3-compatible object storage.	write	`spaces_key:create`	Current
A key can be read, readwrite, or fullaccess on a bucket, and fullaccess cannot be mixed with scoped permissions. Acts onspaces key Permission (capability)`spaces_key:create` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
DELETE	`/v2/spaces/keys/{access_key}`	Delete a Spaces access key.	write	`spaces_key:delete`	Current
Deleting a key revokes the object storage credential it represents. Acts onspaces key Permission (capability)`spaces_key:delete` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Account Read the account behind the token, including its email, status, and resource limits.1
GET	`/v2/account`	Retrieve the account behind the token, including email, status, and resource limits.	read	`account:read`	Current
Returns the account holder's email, verification state, Droplet and floating IP limits, and team details. The alias scope api:read also covers this. Acts onaccount Permission (capability)`account:read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗

No endpoints match those filters.

Webhooks

Webhook events.

DigitalOcean does not push general resource events to a webhook URL the way some APIs do. An agent that needs current state polls the relevant endpoint, and the Monitoring and Uptime products can send alerts on their own channels.

Event	What it signals	Triggered by

No events match that search.

Rate limits & pagination

Rate limits, pagination & request size.

DigitalOcean limits how fast an app or AI agent can call, through an hourly request quota and a per-minute burst quota counted against each token.

Request rate

DigitalOcean limits each OAuth or personal access token to 5,000 requests per hour and 250 requests per minute as a burst ceiling. Every response carries the headers ratelimit-limit, ratelimit-remaining, and ratelimit-reset, where ratelimit-reset is a Unix timestamp for when the oldest request expires. Going over returns HTTP 429, and a burst-limit hit also carries a Retry-After header giving the seconds to wait. Some product areas, such as Functions, document their own additional limits.

Pagination

List endpoints page through the page and per_page query parameters, where per_page defaults to 20 and tops out at 200. Each response includes a links object whose pages.next holds the URL of the next page, which should be followed rather than built by hand, and a meta object with the total count.

Request size

Requests and responses are JSON over HTTPS. There is no single documented payload size limit across the whole API; individual resources set their own bounds, such as a block storage volume ranging from 1 GiB to 16 TiB.

Errors

Status codes & error handling.

The status codes an agent should handle, and what to do about each.

Status	Code	Meaning	What to do
401	`unauthorized`	Authentication is missing, or the token is invalid or expired.	Send a valid token in the Authorization header as a bearer credential.
403	`forbidden`	The token is valid but lacks the scope or team role for this call, such as a read-only token attempting a write.	Recreate the token with the scope the call needs, since scopes cannot be edited after creation.
404	`not_found`	The resource does not exist, or the token cannot see it.	Confirm the ID in the path and that the token has access to the resource.
422	`unprocessable_entity`	The request was well-formed but a field is missing or invalid, such as a firewall created with no rules.	Read the message field, correct the named input, and resend.
429	`too_many_requests`	A rate limit was exceeded, either the hourly quota or the per-minute burst.	Wait for the window to reset, using the ratelimit-reset header, or honor the Retry-After header on a burst limit before retrying.
500	`server_error`	An unexpected error occurred on DigitalOcean's side.	Retry after a short delay, and quote the request_id from the error body if contacting support.

Versioning & freshness

Version history.

DigitalOcean exposes a single, continuously updated version of its API at the v2 path. There is no dated version header to pin, and changes ship through release notes.

Version history

What changed, and when

Latest versionv2

v2Current version

The current API

The v2 API is the single, continuously updated version, served at the v2 path with no dated version header to pin. It left beta in 2015, replacing the retired v1, and has shipped features since through dated release notes rather than new version numbers. Recent additions include custom scopes for personal access tokens and identifiable token prefixes.

What changed

v2 left beta and became the supported API, replacing v1
Token prefixes dop_v1_, doo_v1_, and dor_v1_ added to distinguish token types
Custom, fine-grained scopes for personal access tokens reached general availability
Per-service remote MCP server endpoints launched under mcp.digitalocean.com

2024-04-17Feature update

Custom scopes reach general availability

Custom scopes for personal access tokens reached general availability, after a feature preview that began on 15 March 2024. A token can now be created with granular resource:action permissions, such as droplet:create or firewall:update, rather than only the broad Read Only or Full Access options. Kubernetes kubeconfig and credentials endpoints began returning tokens scoped for read-only cluster access on 8 April 2024.

What changed

Custom scopes for personal access tokens reached general availability
Tokens can be limited to specific resource:action permissions for least-privilege access
Scopes are fixed at creation and cannot be edited afterward

2023-08-24Feature update

Retry-After on burst limits

DigitalOcean added a Retry-After header to the 429 responses returned when the per-minute burst rate limit is hit, so a client can read exactly how many seconds to wait before retrying. It was released on 24 August 2023.

What changed

Added a Retry-After header to 429 responses on the burst rate limit

2022-03-29Feature update

Identifiable token prefixes

API tokens gained identifiable prefixes so the type of a credential is clear at a glance: dop_v1_ for a personal access token, doo_v1_ for an OAuth token, and dor_v1_ for a refresh token. It was released on 29 March 2022.

What changed

Personal access tokens carry the dop_v1_ prefix
OAuth tokens carry the doo_v1_ prefix, and refresh tokens the dor_v1_ prefix

There is one live version, so an integration tracks the release notes rather than pinning a date.

DigitalOcean API release notes ↗

Questions

DigitalOcean API, answered.

How do API token scopes work, and can I change them later?+

A personal access token carries scopes that decide what it can do. Custom scopes are resource:action pairs, such as droplet:read or domain:update, and a token can be created with just the ones it needs for least-privilege access. The alias scopes api:read and api:write back the Read Only and Full Access options and expand to cover new endpoints automatically. Scopes cannot be edited after a token is created, so changing a token's access means creating a new token with the scopes wanted and revoking the old one.

What are the rate limits?+

Each token is limited to 5,000 requests per hour and 250 requests per minute as a burst ceiling. Every response carries ratelimit-limit, ratelimit-remaining, and ratelimit-reset headers, where ratelimit-reset is a Unix timestamp for when the window resets. Exceeding a limit returns HTTP 429, and a burst-limit response also includes a Retry-After header with the seconds to wait. A few product areas document their own extra limits on top.

Does the DigitalOcean API send webhooks?+

The core API does not push general resource events to a webhook URL the way some APIs do, so an agent that needs current state polls the relevant endpoint. Asynchronous work like a Droplet reboot or resize runs as an action whose status is checked on the actions endpoint. The separate Monitoring and Uptime products can send alerts on their own channels when a metric or check crosses a threshold.

Personal access token or OAuth, which should I use?+

A personal access token is the simpler choice for an integration acting on one account, and custom scopes let it be limited to exactly the resources and actions it needs. OAuth 2.0 suits a product that connects to many different users' DigitalOcean accounts, since each user grants access through the standard authorization flow. Both produce bearer tokens sent in the Authorization header, distinguished by the dop_v1_ and doo_v1_ prefixes.

How does pagination work?+

List endpoints take the page and per_page query parameters, where per_page defaults to 20 and can go up to 200. Each response includes a links object whose pages.next holds the URL of the next page, which should be followed rather than constructed by hand, and a meta object with the total count of items.

Is there an official MCP server for DigitalOcean?+

Yes. DigitalOcean publishes an official Model Context Protocol server so an agent can call DigitalOcean in tools like Claude, Cursor, and VS Code. Remote endpoints are hosted per service under mcp.digitalocean.com, such as the Droplets endpoint at https://droplets.mcp.digitalocean.com/mcp, and a local server is published as the npm package @digitalocean/mcp. Both authenticate with a DigitalOcean API token, so the same scopes that govern the REST API govern what the MCP server can do.

What does the v2 path mean, and is there a v1?+

v2 is the current and only supported version of the API, served at the v2 path as a single, continuously updated surface with no dated version to pin. The older v1 was deprecated in 2015 and is no longer available. Changes to v2 ship through the release notes rather than a new version number.

What is Bollard AI?

Control what every AI agent can do in DigitalOcean.

Bollard AI sits between a team's AI agents and DigitalOcean. Grant each agent exactly the access it needs, read or write, resource by resource, and every call is checked and logged.

Set read, write, or full access per agent, never a shared DigitalOcean token.
Denied by default, so an agent reaches only what has been explicitly allowed.
Every call recorded in plain English: who, what, where, and the decision.

Control DigitalOcean access in Bollard Browse all APIs →

DigitalOcean

Infra Agent

List Droplets ResourceOffReadFull use

Reboot a Droplet ActionOffReadFull use

Destroy Droplets ActionOffReadFull use

Spaces access keys ResourceOffReadFull use

Per-agent access, set in Bollard AI, not in DigitalOcean

How the DigitalOcean API works.

Connection & authentication methods.

REST API

MCP server (Model Context Protocol)

Personal access token with custom scopes

Personal access token, Read Only or Full Access

OAuth 2.0 application

What an AI agent can do in DigitalOcean.

Droplets

Droplet actions

Kubernetes clusters

Databases

Domains & DNS

Load balancers

Volumes

Snapshots

Firewalls

Apps (App Platform)

Projects

Spaces keys

Account

Every DigitalOcean API method.

Droplets

Droplet actions

Kubernetes clusters

Databases

Domains & DNS

Load balancers

Volumes

Snapshots

Firewalls

Apps (App Platform)

Projects

Spaces keys

Account

Webhook events.

Rate limits, pagination & request size.

Request rate

Pagination

Request size

Status codes & error handling.

Version history.

What changed, and when

DigitalOcean API, answered.

More developer API guides for agents

GitHub

Make

Datadog

LaunchDarkly

Gitea

Grafana

Control what every AI agent can do in DigitalOcean.