Programmatically Create System API Key During Phoenix Deployment

7 comments

· Sorted by Oldest

RunLLM
APP
·
Yes, you can programmatically create a system API key using a GraphQL mutation. According to the <https://github.com/Arize-ai/phoenix/pull/4235|GitHub pull request>, you can use the `createSystemApiKey` mutation to generate a system API key. Here's an example of how you can perform this mutation: ``` mutation { createSystemApiKey(input: { name: "system-api-key"}) { jwt apiKey { name description createdAt expiresAt } } } ``` This mutation will return a JSON payload containing the JWT and details of the created API key, such as its name, creation date, and expiration date. Would you like more detail on how to implement this in your deployment process? Sources: - <https://github.com/Arize-ai/phoenix/pull/4235|GitHub pull request>
💡 Hint: Mention RunLLM in the thread for followups.
Mikyo
·
Hey Chaitanya, totally understand your use case. We're actively working on some phoenix management improvements at the moment (https://github.com/Arize-ai/phoenix/issues/6358). This might ultimately solve your problem but we don't have a solution for you today. Only admins can create system keys. Can you maybe tell us a bit more about your setup and why you need a new phoenix at deployment? Would love to understand why you need a phoenix freshly deployed with a system API key already setup. Thanks for the feedback! We hope to have a solution in the next iteration of Phoenix.
Chaitanya
·
Hi Mikyo Thanks for your response. I am deploying phoenix in ECS fargate along with my chatbot services. These chatbot services send traces to the phoenix services. Right now upon successful deployment of the phoenix, the other chatbot services will start. This is completely automated in the code pipeline. Now I need to add a manual intervention after phoenix is deployed, need to change the admin default password, generate a system API key, and store it in one of the secrets and pass it to downstream applications as input or environment variable etc. I want to avoid this manual intervention. Hope it is clear...
Chaitanya
·
Hi Mikyo I noticed that you have added a feature that sets the admin key separately using an environment variable PHOENIX_ADMIN_SECRET . Will this serve my initial request?
Mikyo
·
RunLLM provide some guidance on how to us the PHOENIX_ADMIN_SECRET
RunLLM
APP
·
To use PHOENIX_ADMIN_SECRET, set this environment variable in your Phoenix deployment with a strong secret (at least 32 characters, including a digit and a lowercase letter). This enables programmatic API key creation via a new endpoint, allowing you to automate project setup and trace logging without manual admin login. Remove the value after creating a system key for security reasons. For details, see <https://docs.arize.com/phoenix/release-notes/04.16.2025-api-key-generation-via-api|API Key Generation via API> and <https://docs.arize.com/phoenix/settings/api-keys#admin-secret|Admin Secret documentation>. Would you like more detail on the API call or deployment example? Sources: - <https://docs.arize.com/phoenix/release-notes/04.16.2025-api-key-generation-via-api|API Key Generation via API> - <https://docs.arize.com/phoenix/settings/api-keys#admin-secret|Admin Secret documentation>
💡 Hint: Mention RunLLM in the thread for followups.
Mikyo
·
I think so. Been a minute since I read this thread 😅
🙌1

RunLLM
APP
·
Yes, you can programmatically create a system API key using a GraphQL mutation. According to the <https://github.com/Arize-ai/phoenix/pull/4235|GitHub pull request>, you can use the `createSystemApiKey` mutation to generate a system API key. Here's an example of how you can perform this mutation: ``` mutation { createSystemApiKey(input: { name: "system-api-key"}) { jwt apiKey { name description createdAt expiresAt } } } ``` This mutation will return a JSON payload containing the JWT and details of the created API key, such as its name, creation date, and expiration date. Would you like more detail on how to implement this in your deployment process? Sources: - <https://github.com/Arize-ai/phoenix/pull/4235|GitHub pull request>
💡 Hint: Mention RunLLM in the thread for followups.
Mikyo
·
Hey Chaitanya, totally understand your use case. We're actively working on some phoenix management improvements at the moment (https://github.com/Arize-ai/phoenix/issues/6358). This might ultimately solve your problem but we don't have a solution for you today. Only admins can create system keys. Can you maybe tell us a bit more about your setup and why you need a new phoenix at deployment? Would love to understand why you need a phoenix freshly deployed with a system API key already setup. Thanks for the feedback! We hope to have a solution in the next iteration of Phoenix.
Chaitanya
·
Hi Mikyo Thanks for your response. I am deploying phoenix in ECS fargate along with my chatbot services. These chatbot services send traces to the phoenix services. Right now upon successful deployment of the phoenix, the other chatbot services will start. This is completely automated in the code pipeline. Now I need to add a manual intervention after phoenix is deployed, need to change the admin default password, generate a system API key, and store it in one of the secrets and pass it to downstream applications as input or environment variable etc. I want to avoid this manual intervention. Hope it is clear...
Chaitanya
·
Hi Mikyo I noticed that you have added a feature that sets the admin key separately using an environment variable PHOENIX_ADMIN_SECRET . Will this serve my initial request?
Mikyo
·
RunLLM provide some guidance on how to us the PHOENIX_ADMIN_SECRET
RunLLM
APP
·
To use PHOENIX_ADMIN_SECRET, set this environment variable in your Phoenix deployment with a strong secret (at least 32 characters, including a digit and a lowercase letter). This enables programmatic API key creation via a new endpoint, allowing you to automate project setup and trace logging without manual admin login. Remove the value after creating a system key for security reasons. For details, see <https://docs.arize.com/phoenix/release-notes/04.16.2025-api-key-generation-via-api|API Key Generation via API> and <https://docs.arize.com/phoenix/settings/api-keys#admin-secret|Admin Secret documentation>. Would you like more detail on the API call or deployment example? Sources: - <https://docs.arize.com/phoenix/release-notes/04.16.2025-api-key-generation-via-api|API Key Generation via API> - <https://docs.arize.com/phoenix/settings/api-keys#admin-secret|Admin Secret documentation>
💡 Hint: Mention RunLLM in the thread for followups.
Mikyo
·
I think so. Been a minute since I read this thread 😅
🙌1