API keys Management

[paulnoirel]

Description

Initially, this was a critical feature request for Optum.
The core feature is to create API keys for different users.

Notes

Client only contains wrappers for static methods in ApiKey.
client.create_api_key() shows a warning to emphasize its alpha status.

This PR brings the following changes to the SDK:

Classes

ApiKey: A class to describe API keys

Enum

TimeUnit: An enum to describe the validation time (number of seconds) of an API key as seen in the UI

Functions

client.create_api_key(
    name: str,
    user: Union[Any, str],
    role: Union[Any, str],
    validity: int = 0,
    time_unit: TimeUnit = TimeUnit.SECOND,
) -> Dict[str, str]:

client.get_api_key(api_key_id: str) -> Optional["ApiKey"]

client.get_api_keys(include_expired: bool = False) -> List["ApiKey"]

ApiKey.revoke() -> Dict[str, Any]:

Example:

# Create a new API key
> new_ak_id_token = client.create_api_key("Test New API key", "pnoirel+test@labelbox.com", "Data Admin", 3, TimeUnit.HOUR)
> new_ak_id_token
{'id': 'cm8qgj3v201yq07wl71am15gy',
 'jwt': 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOiJjbGVrZm4wN3AxNmExMDd4bzUzZGQ2anRuIiwib3JnYW5pemF0aW9uSWQiOiJja3FzYWYwdWRiN3c2MHlib2RyaGMxbjBwIiwiYXBpS2V5SWQiOiJjbThxZ2ozdjIwMXlxMDd3bDcxYW0xNWd5Iiwic2VjcmV0IjoiNjE3YmY0YmJhMjE4YzIxZGE0YTI2ODEyZTg0NjRmNjAiLCJpYXQiOjE3NDMwMjU3NTQsImV4cCI6MTc0MzAzNjU1NH0.eaGR4wwKG3KU-L_ef34rLaPp1JT_7re9aLKGKBNoMTw'}

Retrieve API keys (one/all)

> client.get_api_keys()
[<ApiKey ID: cm4lcpdf9010h07z74e8yfydz>,
 <ApiKey ID: clyfl1tst019p071f7i644jc8>,
 <ApiKey ID: clwj4megk002407zi0s9v44ed>,
 <ApiKey ID: clvnsp1ml0578072b741v1gq8>,
 <ApiKey ID: cluv41rtb01ke0731babo26te>,
 <ApiKey ID: clutybm9u01e407ykgxns7gzi>,
 <ApiKey ID: clusmn71204n007xw0y9b1xwl>,
 <ApiKey ID: clj2xw6m702rw07tofvn6dfga>,
 <ApiKey ID: cm8qgj3v201yq07wl71am15gy>,
 <ApiKey ID: cm8q244sh037807xeb04k4xq5>]

> client.get_api_keys(include_expired=True)
[<ApiKey ID: cm8pzdwpg04fi07xo2pvr3a80>,
 <ApiKey ID: cm8pwewe40wav070h7w9q7fch>,
 <ApiKey ID: cm8ptb9jy0akj07yn3ra8fo82>,
 <ApiKey ID: cm4lcpdf9010h07z74e8yfydz>,
 <ApiKey ID: clyfl1tst019p071f7i644jc8>,
 <ApiKey ID: clwj4megk002407zi0s9v44ed>,
 <ApiKey ID: clvnsp1ml0578072b741v1gq8>,
 <ApiKey ID: cluv41rtb01ke0731babo26te>,
 <ApiKey ID: clutybm9u01e407ykgxns7gzi>,
 <ApiKey ID: clusmn71204n007xw0y9b1xwl>,
 <ApiKey ID: clj2xw6m702rw07tofvn6dfga>,
 <ApiKey ID: cm8qgj3v201yq07wl71am15gy>,
 <ApiKey ID: cm8q244sh037807xeb04k4xq5>,
 <ApiKey ID: cm8pzfzhb0ef307ynhzay52c9>]

Get one API key

> new_ak = client.get_api_key(new_ak_id_token["id"])
> new_ak
<ApiKey ID: cm8qgj3v201yq07wl71am15gy>

> new_ak.expired_at
datetime.datetime(2025, 3, 27, 0, 49, 15, tzinfo=datetime.timezone.utc)

> new_ak.created_by.email
pnoirel@labelbox.com

> new_ak.created_for.email
pnoirel+test@labelbox.com

Revoke an API key

> ak_to_remove.revoke()
{'updateApiKey': {'id': 'cm8qgj3v201yq07wl71am15gy'}}

> ApiKey.get_api_key(client, "cm8qgj3v201yq07wl71am15gy") is None
True

Fixes # (issue)

Type of change

Please delete options that are not relevant.

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Document change (fix typo or modifying any markdown files, code comments or anything in the examples folder only)

All Submissions

• Have you followed the guidelines in our Contributing document?
• Have you provided a description?
• Are your changes properly formatted?

New Feature Submissions

• Does your submission pass tests?
• Have you added thorough tests for your new feature?
• Have you commented your code, particularly in hard-to-understand areas?
• Have you added a Docstring?

Changes to Core Features

• Have you written new tests for your core changes, as applicable?
• Have you successfully run tests with your changes locally?
• Have you updated any code comments, as applicable?

[mihhail-m]

are these checks really necessary? I would imagine that backend already has these checks in place and client.execute() would just return appropriate error. Saving client extra bandwidth

[paulnoirel]

These tests are meant to guide the user in case of errors.
The testing for roles can be simplified thanks to ApiKeyPermissionsNotSubset = '173',
As for the error tests, the GraphQL call will do its best to be successful. See tests below:

[mihhail-m]

could just flip logic here and get rid of nested ifs for better code readability. Otherwise, too much mental gymnastic to perform for simple logic

[paulnoirel]

We still support 3.9. Otherwise, I would use pattern matching to simplify the structure for the bunch of tests.
I will update the test for "validity".

[mihhail-m]

here again I think most of that already handled by .execute() method and backend. It performs lots of extra checks and throws errors. So i think it is fine to just call client.execute() and return necessary data. But obviously should check before though 😬

[paulnoirel]

The exception handling was simplified.

[mihhail-m]

you probably wanna have <= here. Otherwise 0 is a valid expiration value

[paulnoirel]

It will caught by another test:

        if validity_seconds < TimeUnit.MINUTE.value:
            raise ValueError("Minimum validity period is 1 minute")
            ```

[mihhail-m]

i think .execute() would already throw error here if something is not right. So you could simplified this further by removing try/catch block.

[paulnoirel]

There are 2 things:

• execute() didn't manage to create an API key and this justifies to raise an exception (execute wouldn't fail)
• execute()threw an exception and I want it to be propagated.