RBAC REST API

The Arize REST API provides endpoints for managing access control programmatically. Use these endpoints to automate role assignment, manage project restrictions, and integrate RBAC into your workflows.

These endpoints are currently in Alpha. Breaking changes are possible. See API Version Stages for details.

Authentication

All RBAC endpoints require Bearer token authentication:

Authorization: Bearer <api-key>

Both User Keys and Service Keys are supported. See Authentication for details.

Roles

Manage custom and predefined roles for your account.

Method	Path	Description
`GET`	`/v2/roles`	List all roles (custom and predefined)
`POST`	`/v2/roles`	Create a custom role
`GET`	`/v2/roles/{role_id}`	Get a role by ID
`PATCH`	`/v2/roles/{role_id}`	Update a custom role
`DELETE`	`/v2/roles/{role_id}`	Delete a custom role

Predefined roles (e.g., Project Viewer, Project Editor, Project Admin) cannot be updated or deleted.

List roles

curl https://api.arize.com/v2/roles \
  -H "Authorization: Bearer <api-key>"

You can filter by is_predefined=true or is_predefined=false to see only built-in or custom roles. Responses are paginated — use limit and cursor parameters for large role lists.

Create a custom role

curl -X POST https://api.arize.com/v2/roles \
  -H "Authorization: Bearer <api-key>" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Dataset Manager",
    "description": "Can manage datasets and run experiments",
    "permissions": [
      "DATASET_READ",
      "DATASET_CREATE",
      "DATASET_UPDATE",
      "DATASET_DELETE",
      "DATASET_EXAMPLE_READ",
      "DATASET_EXAMPLE_CREATE",
      "EXPERIMENT_READ",
      "EXPERIMENT_CREATE"
    ]
  }'

To see the full list of available permission values, call GET /v2/roles and inspect the permissions on an existing role, or refer to the interactive API documentation.

Role Bindings

Assign roles to users on specific resources (spaces or projects).

Method	Path	Description
`POST`	`/v2/role-bindings`	Assign a role to a user on a space or project
`GET`	`/v2/role-bindings/{binding_id}`	Get a role binding by ID
`PATCH`	`/v2/role-bindings/{binding_id}`	Update the role in a binding
`DELETE`	`/v2/role-bindings/{binding_id}`	Remove a role binding

Each user can have one role binding per resource. Attempting to create a duplicate binding returns a 409 Conflict error.

Assign a project role

curl -X POST https://api.arize.com/v2/role-bindings \
  -H "Authorization: Bearer <api-key>" \
  -H "Content-Type: application/json" \
  -d '{
    "role_id": "<role-global-id>",
    "user_id": "<user-global-id>",
    "resource_type": "project",
    "resource_id": "<project-global-id>"
  }'

The resource_type field accepts space or project.

Update a role binding

To change the role assigned to a user, update the binding with a new role_id:

curl -X PATCH https://api.arize.com/v2/role-bindings/<binding-id> \
  -H "Authorization: Bearer <api-key>" \
  -H "Content-Type: application/json" \
  -d '{
    "role_id": "<new-role-global-id>"
  }'

Only the role_id can be updated. The user, resource type, and resource cannot be changed — delete and recreate the binding instead.

Resource Restrictions

Mark projects as restricted so only users with explicit role bindings can access them.

Method	Path	Description
`POST`	`/v2/resource-restrictions`	Restrict a project
`DELETE`	`/v2/resource-restrictions/{resource_id}`	Remove restriction from a project

Currently, only projects can be restricted. Support for additional resource types is planned.

Restrict a project

curl -X POST https://api.arize.com/v2/resource-restrictions \
  -H "Authorization: Bearer <api-key>" \
  -H "Content-Type: application/json" \
  -d '{"resource_id": "<project-global-id>"}'

This operation is idempotent — restricting an already-restricted project returns successfully.

Remove a restriction

curl -X DELETE https://api.arize.com/v2/resource-restrictions/<project-global-id> \
  -H "Authorization: Bearer <api-key>"

See Project-Level Restrictions for details on how restrictions affect access.

Common Workflows

Onboard a team member with scoped project access

Restrict the project (if not already restricted): POST /v2/resource-restrictions with the project ID.
Create a role binding for the user: POST /v2/role-bindings with the user ID, a role ID (e.g., Project Editor), and the project ID.

Audit roles and access

List all custom roles: GET /v2/roles?is_predefined=false
Review role bindings: GET /v2/role-bindings/{binding_id} for specific bindings.

Full API Reference

For complete request and response schemas, see the interactive API documentation.

For additional support, join the Arize Community Slack.

Alyx

Observe

Evaluate

Develop

Prompts

Machine Learning

Settings

Security

Authentication

Roles

List roles

Create a custom role

Role Bindings

Assign a project role

Update a role binding

Resource Restrictions

Restrict a project

Remove a restriction

Common Workflows

Onboard a team member with scoped project access

Audit roles and access

Full API Reference

Alyx

Observe

Evaluate

Develop

Prompts

Machine Learning

Settings

Security

​Authentication

​Roles

​List roles

​Create a custom role

​Role Bindings

​Assign a project role

​Update a role binding

​Resource Restrictions

​Restrict a project

​Remove a restriction

​Common Workflows

​Onboard a team member with scoped project access

​Audit roles and access

​Full API Reference

Authentication

Roles

List roles

Create a custom role

Role Bindings

Assign a project role

Update a role binding

Resource Restrictions

Restrict a project

Remove a restriction

Common Workflows

Onboard a team member with scoped project access

Audit roles and access

Full API Reference