Refresh an API key
Atomically revoke an existing API key and issue a replacement with the same metadata (name, description, and key type).
The old key is invalidated and the new key is activated in a single transaction —
there is no window where neither key is valid. The full new key value (key) is
only returned once in the response. Store it securely.
Authorization:
- User keys: the creator or an account admin may refresh the key. Requires the
developeruser permission flag. Returns403when this flag is absent. - Service keys: space admins (and higher) may refresh any service key in their space.
Non-admins require the
SERVICE_KEY_CREATEpermission and must be the creator of the key.
Expiry behaviour: Supply expires_at in the request body to set an expiration
on the replacement key. Omit expires_at (or send an empty body {}) to create
the replacement key with no expiration (infinite lifetime).
Grace period: Supply grace_period_seconds in the request body to keep the old key
valid for that many seconds after the refresh. If not supplied, the old key is revoked immediately.
Authorizations
Most Arize AI endpoints require authentication. For those endpoints that require authentication, include your API key in the request header using the format
Path Parameters
The unique API key identifier (base64) A universally unique identifier (base64-encoded opaque string).
"RW50aXR5OjEyMzQ1"
Body
Optional body for setting expiry on the new key and/or a grace period on the old key.
Expiration timestamp for the refreshed key. If omitted, the refreshed key has no expiration (infinite lifetime).
"2027-01-01T00:00:00Z"
Grace period in seconds during which the old key remains valid after the
refresh. When set, the old key's expiration is updated to now + grace_period_seconds
instead of being immediately revoked — it expires naturally at the end of the window.
If the old key already has an expires_at that is sooner than the grace window end,
the shorter value is used (the grace period cannot extend a key's original lifetime).
Defaults to 0 (immediate revocation). Maximum is 86400 (24 hours).
0 <= x <= 86400300
Response
API key successfully created or refreshed. The raw key is only returned once.
Unique identifier for the API key.
User-defined name for the API key.
Type of the API key.
- user - Key associated with a specific user.
- service - Key associated with a bot user for service authentication.
user, service Current status of the API key.
- active - The key is valid for use.
- deleted - The key has been deleted by a user.
active, deleted Redacted version of the key suitable for display (e.g., "ak-abc...xyz").
Timestamp when the key was created.
ID of the user who created the key.
The full API key value. Only returned once at creation or refresh time. Store it securely — it cannot be retrieved again.
Optional user-defined description for the API key.
Optional timestamp when the key will expire.
Approximate timestamp when the key was last used for authentication. This value is periodically updated and may not reflect the most recent usage.