Skip to content

Organizations

Create organizations and manage members.

Org dataclass 

Org(prefix: str, did: str, label: str, repo_path: str)

An organization identity.

prefix instance-attribute 

prefix: str

KERI prefix of the organization identity.

did instance-attribute 

did: str

The organization's DID (did:keri:...).

label instance-attribute 

label: str

Human-readable organization name.

repo_path instance-attribute 

repo_path: str

Path to the identity repository.

OrgMember dataclass 

OrgMember(member_did: str, role: str, capabilities: list[str], issuer_did: str, attestation_rid: str, revoked: bool, expires_at: str | None)

A member within an organization.

member_did instance-attribute 

member_did: str

DID of the member.

role instance-attribute 

role: str

Member role: "admin", "member", or "readonly".

capabilities instance-attribute 

capabilities: list[str]

Capabilities granted to this member.

issuer_did instance-attribute 

issuer_did: str

DID of the identity that issued the membership attestation.

attestation_rid instance-attribute 

attestation_rid: str

RID of the membership attestation.

revoked instance-attribute 

revoked: bool

Whether this membership has been revoked.

expires_at instance-attribute 

expires_at: str | None

ISO 8601 expiry timestamp, or None for non-expiring memberships.

is_admin property 

is_admin: bool

Whether this member has admin role.

OrgService 

OrgService(client)

Resource service for organization operations.

create 

create(label: str, repo_path: str | None = None, passphrase: str | None = None) -> Org

Create a new organization identity.

Parameters:

  • label (str) –

    Human-readable name for the org.

  • repo_path (str | None, default: None ) –

    Override identity store path.

  • passphrase (str | None, default: None ) –

    Override passphrase.

Returns:

  • Org

    Org with the KERI prefix, DID, and label.

Raises:

  • OrgError

    If organization creation fails.

  • KeychainError

    If the keychain is locked or inaccessible.

Examples:

org = client.orgs.create("my-team")

add_member 

add_member(org_did: str, member_did: str, role: str = 'member', capabilities: list[str] | None = None, note: str | None = None, repo_path: str | None = None, passphrase: str | None = None, member_public_key_hex: str | None = None) -> OrgMember

Add a member to an organization.

Parameters:

  • org_did (str) –

    The organization's DID (did:keri:...).

  • member_did (str) –

    The member's DID to add.

  • role (str, default: 'member' ) –

    One of "admin", "member", "readonly".

  • capabilities (list[str] | None, default: None ) –

    Explicit capability list. If None, uses role defaults.

  • note (str | None, default: None ) –

    Optional human-readable note for the attestation.

  • member_public_key_hex (str | None, default: None ) –

    Member's Ed25519 public key hex. Required when the member's identity is in a different registry.

Returns:

  • OrgMember

    OrgMember with the membership attestation details.

Raises:

  • OrgError

    If the member cannot be added.

Examples:

member = client.orgs.add_member(org.did, dev.did, role="member")

revoke_member 

revoke_member(org_did: str, member_did: str, note: str | None = None, repo_path: str | None = None, passphrase: str | None = None, member_public_key_hex: str | None = None) -> OrgMember

Revoke a member's authorization.

Parameters:

  • org_did (str) –

    The organization's DID.

  • member_did (str) –

    The member's DID to revoke.

  • note (str | None, default: None ) –

    Optional human-readable note.

  • member_public_key_hex (str | None, default: None ) –

    Member's Ed25519 public key hex. Required when the member's identity is in a different registry.

Returns:

  • OrgMember

    OrgMember with revoked status.

Raises:

  • OrgError

    If the member cannot be revoked.

Examples:

revoked = client.orgs.revoke_member(org.did, dev.did)

update_member 

update_member(org_did: str, member_did: str, role: str | None = None, capabilities: list[str] | None = None, note: str | None = None, repo_path: str | None = None, passphrase: str | None = None, member_public_key_hex: str | None = None) -> OrgMember

Update a member's role or capabilities.

Parameters:

  • org_did (str) –

    The organization's DID.

  • member_did (str) –

    The member's DID to update.

  • role (str | None, default: None ) –

    New role. If None, keeps current.

  • capabilities (list[str] | None, default: None ) –

    New capabilities. If None, uses role defaults.

  • note (str | None, default: None ) –

    Optional note.

  • member_public_key_hex (str | None, default: None ) –

    Member's Ed25519 public key hex. Required when the member's identity is in a different registry.

Returns:

  • OrgMember

    OrgMember with the updated role and capabilities.

Raises:

  • OrgError

    If the member cannot be updated.

Examples:

updated = client.orgs.update_member(org.did, dev.did, role="admin")

list_members 

list_members(org_did: str, include_revoked: bool = False, repo_path: str | None = None) -> list[OrgMember]

List all members of an organization.

Parameters:

  • org_did (str) –

    The organization's DID.

  • include_revoked (bool, default: False ) –

    If True, includes revoked members.

Returns:

  • list[OrgMember]

    List of OrgMember objects.

Raises:

  • OrgError

    If the organization doesn't exist.

Examples:

members = client.orgs.list_members(org.did)

get_member 

get_member(org_did: str, member_did: str, repo_path: str | None = None) -> OrgMember | None

Look up a specific member.

Parameters:

  • org_did (str) –

    The organization's DID.

  • member_did (str) –

    The member's DID to look up.

Returns:

  • OrgMember | None

    OrgMember if found, or None.

Examples:

member = client.orgs.get_member(org.did, dev.did)