Steps to Generate System Token via API in Self-Hosted Phoenix

·Nov 11, 2025 08:53 AM·

Hello, what are the steps to generate a system token using an API call to my self hosted Phoenix instance using the phoenix secret or phoenix admin secret?

✅2

4 comments

· Sorted by Oldest

RunLLM
APP
·
·
To generate a system token (system API key) programmatically, set the `PHOENIX_ADMIN_SECRET` environment variable at deploy time. This secret acts as a bearer token for authenticating API requests as the first system user. Use it in the `Authorization` header to call Phoenix's API endpoints and provision system keys without manual UI interaction. The secret must be at least 32 characters, include a digit and a lowercase letter, and differ from `PHOENIX_SECRET`—it is set via the environment, not generated by an API call itself. After deployment, use the `PHOENIX_ADMIN_SECRET` as a bearer token in the `Authorization` header to authenticate API requests (e.g., to create a system API key via the REST or GraphQL API). For example, send a request with `Authorization: Bearer <PHOENIX_ADMIN_SECRET> ` to the appropriate endpoint. Once a system key is created, use that key for further automation and remove the admin secret from your deployment for security. There is no direct API to generate the admin secret itself; it must be set as an environment variable before starting Phoenix. For details, see the official provisioning and API key documentation. Would you like more detail, such as example API calls or code snippets? Sources: - <https://arize.com/docs/phoenix/self-hosting/features/provisioning|Provisioning | Arize Phoenix>
💡 Hint: Mention RunLLM in the thread for followups.
Amith
·
·
RunLLM Can you show me an example code (API call) to generate a system token, authenticated using admin secret?
RunLLM
APP
·
·
You can generate a system API key by sending an authenticated API request using the `PHOENIX_ADMIN_SECRET` as a bearer token in the `Authorization` header. For example, using the GraphQL API, you can POST a mutation to your Phoenix server: ``` import requests PHOENIX_URL = "http://<your-phoenix-host> :6006/graphql" ADMIN_SECRET = "<your-phoenix-admin-secret> " headers = { "Authorization": f"Bearer {ADMIN_SECRET}", "Content-Type": "application/json" } payload = { "query": """ mutation { createSystemApiKey(input: { name: "system-api-key"}) { jwt apiKey { name description createdAt expiresAt } } } """ } response = requests.post(PHOENIX_URL, json=payload, headers=headers) print(response.json()) ``` This will return a new system API key in the response. Replace `<your-phoenix-host> ` and `<your-phoenix-admin-secret> ` with your actual values. Would you like more detail on the response or how to use the generated key? Sources: - <https://github.com/Arize-ai/phoenix/pull/4235|feat(auth): create system key (GitHub PR)>
💡 Hint: Mention RunLLM in the thread for followups.
Srilakshmi
External
·
·
Hi Amith! I think the bot answered your question correctly. Please let us know if there is anything else we can assist you with!

RunLLM
APP
·
·
To generate a system token (system API key) programmatically, set the `PHOENIX_ADMIN_SECRET` environment variable at deploy time. This secret acts as a bearer token for authenticating API requests as the first system user. Use it in the `Authorization` header to call Phoenix's API endpoints and provision system keys without manual UI interaction. The secret must be at least 32 characters, include a digit and a lowercase letter, and differ from `PHOENIX_SECRET`—it is set via the environment, not generated by an API call itself. After deployment, use the `PHOENIX_ADMIN_SECRET` as a bearer token in the `Authorization` header to authenticate API requests (e.g., to create a system API key via the REST or GraphQL API). For example, send a request with `Authorization: Bearer <PHOENIX_ADMIN_SECRET> ` to the appropriate endpoint. Once a system key is created, use that key for further automation and remove the admin secret from your deployment for security. There is no direct API to generate the admin secret itself; it must be set as an environment variable before starting Phoenix. For details, see the official provisioning and API key documentation. Would you like more detail, such as example API calls or code snippets? Sources: - <https://arize.com/docs/phoenix/self-hosting/features/provisioning|Provisioning | Arize Phoenix>
💡 Hint: Mention RunLLM in the thread for followups.
Amith
·
·
RunLLM Can you show me an example code (API call) to generate a system token, authenticated using admin secret?
RunLLM
APP
·
·
You can generate a system API key by sending an authenticated API request using the `PHOENIX_ADMIN_SECRET` as a bearer token in the `Authorization` header. For example, using the GraphQL API, you can POST a mutation to your Phoenix server: ``` import requests PHOENIX_URL = "http://<your-phoenix-host> :6006/graphql" ADMIN_SECRET = "<your-phoenix-admin-secret> " headers = { "Authorization": f"Bearer {ADMIN_SECRET}", "Content-Type": "application/json" } payload = { "query": """ mutation { createSystemApiKey(input: { name: "system-api-key"}) { jwt apiKey { name description createdAt expiresAt } } } """ } response = requests.post(PHOENIX_URL, json=payload, headers=headers) print(response.json()) ``` This will return a new system API key in the response. Replace `<your-phoenix-host> ` and `<your-phoenix-admin-secret> ` with your actual values. Would you like more detail on the response or how to use the generated key? Sources: - <https://github.com/Arize-ai/phoenix/pull/4235|feat(auth): create system key (GitHub PR)>
💡 Hint: Mention RunLLM in the thread for followups.
Srilakshmi
External
·
·
Hi Amith! I think the bot answered your question correctly. Please let us know if there is anything else we can assist you with!