Skip to main content
The api_keys client methods are currently in ALPHA. The API may change without notice. A one-time warning is emitted on first use.
Manage Arize API keys programmatically. Create, list, revoke, and refresh user or service keys.

Key Capabilities

  • List API keys with optional filtering by type or status
  • Create user keys (account-scoped) or service keys (space-scoped)
  • Revoke keys immediately and permanently
  • Refresh (rotate) a key while preserving its name and scope

List API Keys

List API keys with cursor-based pagination. Optionally filter by key_type ("user" or "service"), status ("active" or "revoked"), space (name or ID — returns service keys for that space), and user_id (filter by creator for service keys, or view another user’s keys as an account admin). When status is omitted, only active keys are returned.
resp = client.api_keys.list(
    key_type="service",                  # optional: "user" or "service"
    status="active",                     # optional: "active" or "revoked"
    space="your-space-name-or-id",       # optional: filter service keys by space
    user_id="Usr1001",                   # optional: filter by creator (service) or user (user keys)
    limit=50,
)

for key in resp.api_keys:
    print(key.id, key.name, key.key_type)
For details on pagination, field introspection, and data conversion (to dict/JSON/DataFrame), see Response Objects.

Create an API Key

Two key types are supported via separate methods:
  • User key (create) — authenticates as the creating user with their full permissions.
  • Service key (create_service_key) — scoped to a specific space, backed by a bot user with configurable roles.
The raw key value is returned only once in the key field of the response. Store it securely — it cannot be retrieved again.

User Key

result = client.api_keys.create(
    name="my-user-key",
    description="Used for CI pipeline",  # optional
)

print(result.key)   # store this securely — shown only once
print(result.id)

Service Key

When no roles are specified, the server applies defaults (space_role="member", org_role="read-only", account_role="member"). All role assignments must be at or below the caller’s own privilege level.
from datetime import datetime, timezone

result = client.api_keys.create_service_key(
    name="my-service-key",
    space="your-space-name-or-id",
    expires_at=datetime(2027, 1, 1, tzinfo=timezone.utc),  # optional
    space_role="member",        # optional: "admin", "member", or "read-only"
    org_role="read-only",       # optional: "admin", "member", or "read-only"
    account_role="member",      # optional: "admin" or "member"
)

print(result.key)   # store this securely — shown only once
print(result.id)

Revoke an API Key

Revoke a key by ID. The key’s status is set to revoked and it is deactivated immediately and permanently. This operation is irreversible. Revoking an already-revoked key is a no-op and still succeeds.
client.api_keys.revoke(api_key_id="your-api-key-id")

print("API key revoked")

Refresh an API Key

Revoke an existing key and issue a replacement with the same name, description, type, and scope. A new raw key value is returned. Use grace_period_seconds to keep the old key valid briefly while your services rotate to the new key.
The new raw key value is returned only once in the key field of the response. Store it securely.
from datetime import datetime, timezone

result = client.api_keys.refresh(
    api_key_id="your-api-key-id",
    expires_at=datetime(2027, 1, 1, tzinfo=timezone.utc),  # optional
    grace_period_seconds=300,                               # optional: keep old key valid for 5 minutes
)

print(result.key)   # store this securely — shown only once