Skip to content

Organizations

Create organizations and manage members.

Org dataclass

Org(prefix: str, did: str, label: str, repo_path: str)

An organization identity.

prefix instance-attribute

prefix: str

KERI prefix of the organization identity.

did instance-attribute

did: str

The organization's DID (did:keri:...).

label instance-attribute

label: str

Human-readable organization name.

repo_path instance-attribute

repo_path: str

Path to the identity repository.

OrgMember dataclass

OrgMember(member_did: str, role: str, capabilities: list[str], org_did: str, member_prefix: str, revoked: bool, expires_at: str | None)

A member within an organization.

member_did instance-attribute

member_did: str

Delegated did:keri: AID minted by the org for this member.

role instance-attribute

role: str

Member role: "admin", "member", or "readonly".

capabilities instance-attribute

capabilities: list[str]

Capabilities granted to this member.

org_did instance-attribute

org_did: str

DID of the organization that owns this membership.

member_prefix instance-attribute

member_prefix: str

KERI prefix of the member's delegated identity.

revoked instance-attribute

revoked: bool

Whether this membership has been revoked.

expires_at instance-attribute

expires_at: str | None

ISO 8601 expiry timestamp, or None for non-expiring memberships.

is_admin property

is_admin: bool

Whether this member has admin role.

OrgService

OrgService(client)

Resource service for organization operations.

create

create(label: str, repo_path: str | None = None, passphrase: str | None = None) -> Org

Create a new organization identity.

Parameters:

  • label (str) –

    Human-readable name for the org.

  • repo_path (str | None, default: None ) –

    Override identity store path.

  • passphrase (str | None, default: None ) –

    Override passphrase.

Returns:

  • Org

    Org with the KERI prefix, DID, and label.

Raises:

  • OrgError

    If organization creation fails.

  • KeychainError

    If the keychain is locked or inaccessible.

Examples:

org = client.orgs.create("my-team")

add_member

add_member(org_did: str, member_label: str, role: str = 'member', capabilities: list[str] | None = None, repo_path: str | None = None, passphrase: str | None = None, expires_at: int | None = None) -> OrgMember

Add a member to an organization.

The organization mints a fresh delegated key for the member from the given label; the returned member_did is the new delegated AID.

Parameters:

  • org_did (str) –

    The organization's DID (did:keri:...).

  • member_label (str) –

    Human-readable alias for the minted member key.

  • role (str, default: 'member' ) –

    One of "admin", "member", "readonly".

  • capabilities (list[str] | None, default: None ) –

    Explicit capability list. If None, uses role defaults.

  • expires_at (int | None, default: None ) –

    Optional Unix timestamp at which the membership expires.

Returns:

  • OrgMember

    OrgMember with the minted member DID and membership details.

Raises:

  • OrgError

    If the member cannot be added.

Examples:

member = client.orgs.add_member(org.did, "alice", role="member")

revoke_member

revoke_member(org_did: str, member_did: str, repo_path: str | None = None, passphrase: str | None = None) -> OrgMember

Revoke a member's authorization.

Parameters:

  • org_did (str) –

    The organization's DID.

  • member_did (str) –

    The member's delegated DID to revoke.

Returns:

  • OrgMember

    OrgMember with revoked status.

Raises:

  • OrgError

    If the member cannot be revoked.

Examples:

revoked = client.orgs.revoke_member(org.did, member.member_did)

update_member

update_member(org_did: str, member_did: str, member_label: str, role: str | None = None, capabilities: list[str] | None = None, repo_path: str | None = None, passphrase: str | None = None) -> OrgMember

Update a member by revoking the old delegation and minting a new one.

Because the organization mints member keys, an update revokes the existing delegated DID and adds a fresh member under member_label.

Parameters:

  • org_did (str) –

    The organization's DID.

  • member_did (str) –

    The existing delegated DID to revoke.

  • member_label (str) –

    Alias for the newly minted member key.

  • role (str | None, default: None ) –

    New role. If None, defaults to "member".

  • capabilities (list[str] | None, default: None ) –

    New capabilities. If None, uses role defaults.

Returns:

  • OrgMember

    OrgMember for the freshly minted member.

Raises:

  • OrgError

    If the member cannot be updated.

Examples:

updated = client.orgs.update_member(
    org.did, member.member_did, "alice", role="admin"
)

list_members

list_members(org_did: str, include_revoked: bool = False, repo_path: str | None = None) -> list[OrgMember]

List all members of an organization.

Parameters:

  • org_did (str) –

    The organization's DID.

  • include_revoked (bool, default: False ) –

    If True, includes revoked members.

Returns:

  • list[OrgMember]

    List of OrgMember objects.

Raises:

  • OrgError

    If the organization doesn't exist.

Examples:

members = client.orgs.list_members(org.did)

get_member

get_member(org_did: str, member_did: str, repo_path: str | None = None) -> OrgMember | None

Look up a specific member.

Parameters:

  • org_did (str) –

    The organization's DID.

  • member_did (str) –

    The member's DID to look up.

Returns:

  • OrgMember | None

    OrgMember if found, or None.

Examples:

member = client.orgs.get_member(org.did, dev.did)