> ## Documentation Index
> Fetch the complete documentation index at: https://arize-ax.mintlify.dev/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# API Keys

> Manage Arize API keys programmatically. Create, list, delete, and regenerate user or service keys.

<Note>
  The `api_keys` client methods are currently in **ALPHA**. The API may change without notice. A one-time warning is emitted on first use.
</Note>

Manage Arize API keys programmatically. Create, list, delete, and regenerate user or service keys.

## Key Capabilities

* List API keys with optional filtering by type or status
* Create user keys (account-scoped) or service keys (space-scoped)
* Delete keys immediately and permanently
* Refresh (rotate) a key while preserving its name and scope

## List API Keys

List API keys for the authenticated user. Optionally filter by `key_type` (`"user"` or `"service"`) and `status` (`"active"` or `"deleted"`). When `status` is omitted, only active keys are returned.

```python theme={null}
resp = client.api_keys.list(
    key_type="service",  # optional: "user" or "service"
    status="active",     # optional: "active" or "deleted"
    limit=50,
)

for key in resp.api_keys:
    print(key.id, key.name, key.key_type)
```

For details on pagination, field introspection, and data conversion (to dict/JSON/DataFrame), see [Response Objects](/api-clients/python/version-8/overview#response-objects).

## Create an API Key

Two key types are supported via separate methods:

* **User key** (`create`) — authenticates as the creating user with their full permissions.
* **Service key** (`create_service_key`) — scoped to a specific space, backed by a bot user with configurable roles.

<Warning>
  The raw key value is returned **only once** in the `key` field of the response. Store it securely — it cannot be retrieved again.
</Warning>

### User Key

```python theme={null}
result = client.api_keys.create(
    name="my-user-key",
    description="Used for CI pipeline",  # optional
)

print(result.key)   # store this securely — shown only once
print(result.id)
```

### Service Key

When no roles are specified, the server applies defaults (`space_role="member"`, `org_role="read-only"`, `account_role="member"`). All role assignments must be at or below the caller's own privilege level.

```python theme={null}
from datetime import datetime, timezone

result = client.api_keys.create_service_key(
    name="my-service-key",
    space="your-space-name-or-id",
    expires_at=datetime(2027, 1, 1, tzinfo=timezone.utc),  # optional
    space_role="member",        # optional: "admin", "member", or "read-only"
    org_role="read-only",       # optional: "admin", "member", or "read-only"
    account_role="member",      # optional: "admin" or "member"
)

print(result.key)   # store this securely — shown only once
print(result.id)
```

## Delete an API Key

Delete a key by ID. The key is deactivated immediately and permanently.

```python theme={null}
client.api_keys.delete(api_key_id="your-api-key-id")

print("API key deleted")
```

## Refresh an API Key

Revoke an existing key and issue a replacement with the same name, description, type, and scope. A new raw key value is returned. Use `grace_period_seconds` to keep the old key valid briefly while your services rotate to the new key.

<Warning>
  The new raw key value is returned **only once** in the `key` field of the response. Store it securely.
</Warning>

```python theme={null}
from datetime import datetime, timezone

result = client.api_keys.refresh(
    api_key_id="your-api-key-id",
    expires_at=datetime(2027, 1, 1, tzinfo=timezone.utc),  # optional
    grace_period_seconds=300,                               # optional: keep old key valid for 5 minutes
)

print(result.key)   # store this securely — shown only once
```