curl --request POST \
  --url https://api.arize.com/v2/api-keys \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '
{
  "name": "CI pipeline key"
}
'

{
  "id": "QXBp1001",
  "name": "CI pipeline key",
  "key_type": "user",
  "status": "active",
  "key": "ak-abc123def456ghi789jkl012mno345pqr678stu901vwx234yz",
  "redacted_key": "ak-abc...xyz",
  "created_by_user_id": "Usr1001",
  "created_at": "2024-01-15T10:30:00Z",
  "expires_at": "2025-01-15T10:30:00Z"
}

API Keys

Create an API key

Create a new API key for the authenticated user.

key_type defaults to user when omitted.
For service keys, space_id is required. The service key is scoped to the given space, and a bot user will be created with the specified roles.
For user keys, space_id and roles must not be set — passing either returns 400. The key inherits the authenticated user’s own permissions.
You may only assign roles at or below your own privilege level. Attempting to assign a role higher than your own returns 400 Bad Request.
All roles default to the minimum privilege when omitted: space_role → member, org_role → read-only, account_role → member.

Authorization:

User keys: Requires the developer user permission flag. Returns 403 when this flag is absent.
Service keys: Requires the SERVICE_KEY_CREATE permission in the target space (space member or above).

The full API key value (key) is only returned once in the creation response. Store it securely — it cannot be retrieved again. Use the redacted_key field on subsequent reads.

This endpoint is in alpha, read more here.

POST

api-keys

curl --request POST \
  --url https://api.arize.com/v2/api-keys \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '
{
  "name": "CI pipeline key"
}
'

{
  "id": "QXBp1001",
  "name": "CI pipeline key",
  "key_type": "user",
  "status": "active",
  "key": "ak-abc123def456ghi789jkl012mno345pqr678stu901vwx234yz",
  "redacted_key": "ak-abc...xyz",
  "created_by_user_id": "Usr1001",
  "created_at": "2024-01-15T10:30:00Z",
  "expires_at": "2025-01-15T10:30:00Z"
}

Authorizations

Authorization

string

header

required

Most Arize AI endpoints require authentication. For those endpoints that require authentication, include your API key in the request header using the format

Body

application/json

Body containing API key creation parameters

name

string

required

User-defined name for the API key.

Maximum string length: 256

Example:

"CI pipeline key"

description

string

Optional user-defined description for the API key.

Maximum string length: 1000

Example:

"Key used by the CI pipeline to upload evaluation results."

key_type

enum<string>

default:user

Type of the API key to create. Defaults to user.

user - Key that authenticates as the creating user with their full permissions. space_id and roles must not be set (returns 400).
service - Key scoped to a specific space backed by a dedicated bot user. Requires space_id. All roles default to minimum privilege when omitted.

Available options:

user,

service

Example:

"user"

expires_at

string<date-time>

Optional expiration timestamp. If omitted the key never expires.

Example:

"2026-01-01T00:00:00Z"

space_id

string

ID of the space this service key is scoped to. Required when key_type is service; invalid for user keys (returns 400).

Example:

"U3BhY2UxMjM"

roles

object

Role assignments for the service key's bot user. Only valid when key_type is service; invalid for user keys (returns 400). When omitted, each role field defaults to minimum privilege: space_role → member, org_role → read-only, account_role → member.

Show child attributes

Response

API key successfully created or refreshed. The raw key is only returned once.

string

required

Unique identifier for the API key.

name

string

required

User-defined name for the API key.

key_type

enum<string>

required

Type of the API key.

user - Key associated with a specific user.
service - Key associated with a bot user for service authentication.

Available options:

user,

service

status

enum<string>

required

Current status of the API key.

active - The key is valid for use.
deleted - The key has been deleted by a user.

Available options:

active,

deleted

redacted_key

string

required

Redacted version of the key suitable for display (e.g., "ak-abc...xyz").

created_at

string<date-time>

required

Timestamp when the key was created.

created_by_user_id

string

required

ID of the user who created the key.

key

string

required

The full API key value. Only returned once at creation or refresh time. Store it securely — it cannot be retrieved again.

description

string

Optional user-defined description for the API key.

expires_at

string<date-time>

Optional timestamp when the key will expire.

last_used_at

string<date-time>

Approximate timestamp when the key was last used for authentication. This value is periodically updated and may not reflect the most recent usage.

List API keys Delete an API key

⌘I