API Keys

class ApiKeysClient(*, sdk_config: SDKConfiguration, generated_client: ApiClient)

Bases: object

Client for managing Arize API keys.

This class is primarily intended for internal use within the SDK. Users are highly encouraged to access resource-specific functionality via arize.ArizeClient.

The API keys client is a thin wrapper around the generated REST API client, using the shared generated API client owned by arize.config.SDKConfiguration.

Parameters:

• sdk_config (SDKConfiguration) – Resolved SDK configuration.

• generated_client (ApiClient) – Shared generated API client instance.

list(*, key_type: ApiKeyType | None = None, status: ApiKeyStatus | None = None, space: str | None = None, user_id: str | None = None, limit: int = DEFAULT_LIST_LIMIT, cursor: str | None = None) → ApiKeyListResponse

List API keys.

This endpoint supports cursor-based pagination. Optionally filter by key_type, status, space, and user_id.

Service keys (key_type="service"): provide space to return all service keys for that space. When key_type is omitted alongside space, service keys are returned implicitly. Optionally combine with user_id to filter by creator — available to any caller with space access.

User keys (key_type="user"): returned by default (no space). Provide user_id to view keys for a specific user — account admins only; non-admins receive a 403.

Parameters:

• key_type (ApiKeyType | None) – Optional key type filter (ApiKeyType.USER or ApiKeyType.SERVICE).

• status (ApiKeyStatus | None) – Optional status filter ("active" or "deleted"). Defaults to "active" on the server side when omitted.

• space (str | None) – Space name or ID. When provided, filters to service keys for that space. Accepts a human-readable name or a base64 identifier.

• user_id (str | None) – Base64 identifier of the user whose keys to return. For service keys (with space), filters by creator and is available to any caller with space access. For user keys (without space), requires account admin role.

• limit (int) – Maximum number of keys to return (1 to 100). Defaults to 50.

• cursor (str | None) – Opaque pagination cursor from a previous response.

Returns:

A paginated API key list response from the Arize REST API.

Raises:

ApiException – If the API request fails.

Return type:

ApiKeyListResponse

create(*, name: str, description: str | None = None, expires_at: datetime | None = None) → ApiKeyCreated

Create a new user API key.

Creates a user-type key that authenticates as the creating user with their full permissions. To create a space-scoped service key, use create_service_key instead.

The returned ApiKeyCreated object contains the full raw key value in its key field. This is the only time the raw key is returned. Store it securely.

Parameters:

• name (str) – User-defined name for the API key (max 256 characters).

• description (str | None) – Optional description (max 1000 characters).

• expires_at (datetime | None) – Optional expiration timestamp. If omitted the key never expires. Must be a future timestamp.

Returns:

The created API key, including the one-time raw key value.

Raises:

ApiException – If the API request fails (e.g. invalid parameters or insufficient permissions).

Return type:

ApiKeyCreated

create_service_key(*, name: str, space: str, description: str | None = None, expires_at: datetime | None = None, space_role: ApiKeySpaceRole | None = None, org_role: ApiKeyOrganizationRole | None = None, account_role: ApiKeyAccountRole | None = None) → ApiKeyCreated

Create a service-type API key for a space.

Service keys are scoped to a specific space and backed by a dedicated bot user with configurable roles. When no roles are specified, the server applies its defaults (space_role="member", org_role="read-only", account_role="member"). All role assignments must be at or below the caller’s own privilege level.

The returned ApiKeyCreated object contains the full raw key value in its key field. This is the only time the raw key is returned. Store it securely.

Parameters:

• name (str) – User-defined name for the API key (max 256 characters).

• space (str) – Space name or ID the service key is scoped to.

• description (str | None) – Optional description (max 1000 characters).

• expires_at (datetime | None) – Optional expiration timestamp. If omitted the key never expires. Must be a future timestamp.

• space_role (ApiKeySpaceRole | None) – Role for the bot user within the space (ApiKeySpaceRole). One of "admin", "member" (default), or "read-only". Must be at or below the caller’s own space role.

• org_role (ApiKeyOrganizationRole | None) – Role for the bot user within the organization (ApiKeyOrganizationRole). One of "admin", "member", or "read-only" (default). Must be at or below the caller’s own org role.

• account_role (ApiKeyAccountRole | None) – Account-level role for the bot user (ApiKeyAccountRole). One of "admin" or "member" (default). Must be at or below the caller’s own account role.

Returns:

The created API key, including the one-time raw key value.

Raises:

ApiException – If the API request fails (e.g. invalid role assignment or insufficient permissions).

Return type:

ApiKeyCreated

delete(*, api_key_id: str) → None

Delete an API key.

The key is deactivated immediately and permanently. This operation is irreversible — the key will stop working right away.

Parameters:

api_key_id (str) – ID of the API key to delete.

Returns:

None

Raises:

ApiException – If the API request fails (e.g. key not found or insufficient permissions).

Return type:

None

refresh(*, api_key_id: str, expires_at: datetime | None = None, grace_period_seconds: int | None = None) → ApiKeyCreated

Refresh an existing API key.

Atomically revokes the old key and issues a replacement with the same name, description, type, and scope.

Use grace_period_seconds to keep the old key valid briefly while your services rotate to the new key.

Parameters:

• api_key_id (str) – ID of the API key to refresh.

• expires_at (datetime | None) – New expiration for the replacement key. If omitted the replacement key will not expire.

• grace_period_seconds (int | None) – Optional grace window, in seconds, during which the old key remains valid after refresh. If omitted or 0, the old key is invalidated immediately.

Returns:

The newly issued API key, including the one-time raw key value.

Raises:

ApiException – If the API request fails (e.g. key not found, already deleted, or insufficient permissions).

Return type:

ApiKeyCreated

Response Types

class ApiKeyCreated(*, id: Annotated[str, Strict(strict=True)], name: Annotated[str, Strict(strict=True)], description: Annotated[str, Strict(strict=True)] | None = None, key_type: ApiKeyType, status: ApiKeyStatus, redacted_key: Annotated[str, Strict(strict=True)], created_at: datetime, expires_at: datetime | None = None, created_by_user_id: Annotated[str, Strict(strict=True)], last_used_at: datetime | None = None, key: Annotated[str, Strict(strict=True)])

Bases: BaseModel

Create a new model by parsing and validating input data from keyword arguments.

Raises [ValidationError][pydantic_core.ValidationError] if the input data cannot be validated to form a valid model.

self is explicitly positional-only to allow self as a field name.

Parameters:

• id (Annotated[str, Strict(strict=True)])

• name (Annotated[str, Strict(strict=True)])

• description (Annotated[str, Strict(strict=True)] | None)

• key_type (ApiKeyType)

• status (ApiKeyStatus)

• redacted_key (Annotated[str, Strict(strict=True)])

• created_at (datetime)

• expires_at (datetime | None)

• created_by_user_id (Annotated[str, Strict(strict=True)])

• last_used_at (datetime | None)

• key (Annotated[str, Strict(strict=True)])

id: StrictStr

name: StrictStr

description: StrictStr | None

key_type: ApiKeyType

status: ApiKeyStatus

redacted_key: StrictStr

created_at: datetime

expires_at: datetime | None

created_by_user_id: StrictStr

last_used_at: datetime | None

key: StrictStr

model_config: ClassVar[ConfigDict] = {'populate_by_name': True, 'protected_namespaces': (), 'validate_assignment': True, 'validate_by_alias': True, 'validate_by_name': True}

Configuration for the model, should be a dictionary conforming to [ConfigDict][pydantic.config.ConfigDict].

to_str() → str

Returns the string representation of the model using alias

Return type:

str

to_json() → str

Returns the JSON representation of the model using alias

Return type:

str

classmethod from_json(json_str: str) → Self | None

Create an instance of ApiKeyCreated from a JSON string

Parameters:

json_str (str)

Return type:

Self | None

to_dict() → Dict[str, Any]

Return the dictionary representation of the model using alias.

This has the following differences from calling pydantic’s self.model_dump(by_alias=True):

• None is only added to the output dict for nullable fields that were set at model initialization. Other fields with value None are ignored.

Return type:

Dict[str, Any]

classmethod from_dict(obj: Dict[str, Any] | None) → Self | None

Create an instance of ApiKeyCreated from a dict

Parameters:

obj (Dict[str, Any] | None)

Return type:

Self | None

class ApiKeyStatus(value, names=_not_given, *values, module=None, qualname=None, type=None, start=1, boundary=None)

Bases: str, Enum

Current status of the API key. - active - The key is valid for use. - deleted - The key has been deleted by a user.

ACTIVE = 'active'

DELETED = 'deleted'

classmethod from_json(json_str: str) → Self

Create an instance of ApiKeyStatus from a JSON string

Parameters:

json_str (str)

Return type:

Self