keys

Create API key

Create a new API key for user authentication and authorization.

Use this endpoint when users sign up, upgrade subscription tiers, or need additional keys. Keys are cryptographically secure and unique to the specified API namespace.

Important: The key is returned only once. Store it immediately and provide it to your user, as it cannot be retrieved later.

Common use cases:

Generate keys for new user registrations
Create additional keys for different applications
Issue keys with specific permissions or limits

Required Permissions

Your root key needs one of:

api.*.create_key (create keys in any API)
api.<api_id>.create_key (create keys in specific API)

POST

keys.createKey

Go (SDK)

package main

import(
	"context"
	"os"
	unkey "github.com/unkeyed/sdks/api/go/v2"
	"github.com/unkeyed/sdks/api/go/v2/models/components"
	"log"
)

func main() {
    ctx := context.Background()

    s := unkey.New(
        unkey.WithSecurity(os.Getenv("UNKEY_ROOT_KEY")),
    )

    res, err := s.Keys.CreateKey(ctx, components.V2KeysCreateKeyRequestBody{
        APIID: "api_1234abcd",
        Prefix: unkey.String("prod"),
        Name: unkey.String("Payment Service Production Key"),
        ByteLength: unkey.Int64(24),
        ExternalID: unkey.String("user_1234abcd"),
        Meta: map[string]any{
            "plan": "enterprise",
            "featureFlags": map[string]any{
                "betaAccess": true,
                "concurrentConnections": 10,
            },
            "customerName": "Acme Corp",
            "billing": map[string]any{
                "tier": "premium",
                "renewal": "2024-12-31",
            },
        },
        Roles: []string{
            "api_admin",
            "billing_reader",
        },
        Permissions: []string{
            "documents.read",
            "documents.write",
            "settings.view",
        },
        Expires: unkey.Int64(1704067200000),
        Credits: &components.KeyCreditsData{
            Remaining: unkey.Int64(1000),
            Refill: &components.KeyCreditsRefill{
                Interval: components.IntervalDaily,
                Amount: 1000,
                RefillDay: unkey.Int64(15),
            },
        },
        Ratelimits: []components.RatelimitRequest{
            components.RatelimitRequest{
                Name: "requests",
                Limit: 100,
                Duration: 60000,
                AutoApply: unkey.Bool(true),
            },
            components.RatelimitRequest{
                Name: "heavy_operations",
                Limit: 10,
                Duration: 3600000,
            },
        },
    })
    if err != nil {
        log.Fatal(err)
    }
    if res.V2KeysCreateKeyResponseBody != nil {
        // handle response
    }
}

{
  "meta": {
    "requestId": "req_123"
  },
  "data": {
    "keyId": "key_2cGKbMxRyIzhCxo1Idjz8q",
    "key": "prod_2cGKbMxRjIzhCxo1IdjH3arELti7Sdyc8w6XYbvtcyuBowPT"
  }
}

Authorizations

Authorization

string

header

required

Unkey uses API keys (root keys) for authentication. These keys authorize access to management operations in the API. To authenticate, include your root key in the Authorization header of each request:

Authorization: Bearer unkey_123

Root keys have specific permissions attached to them, controlling what operations they can perform. Key permissions follow a hierarchical structure with patterns like resource.resource_id.action (e.g., apis.*.create_key, apis.*.read_api). Security best practices:

Keep root keys secure and never expose them in client-side code
Use different root keys for different environments
Rotate keys periodically, especially after team member departures
Create keys with minimal necessary permissions following least privilege principle
Monitor key usage with audit logs.

Body

application/json

Response

200

application/json

Successfully created a new API key. The response includes both the keyId (for reference in your system) and the full key string. IMPORTANT: This is the only time the complete key is available - it cannot be retrieved later. You must securely provide this key to your end user immediately.

The response is of type object.

Delete API keysDelete API keys permanently from user accounts or for cleanup purposes. Use this for user-requested key deletion, account deletion workflows, or cleaning up unused keys. Keys are immediately invalidated. Two modes: soft delete (default, preserves audit records) and permanent delete. **Important**: For temporary access control, use `updateKey` with `enabled: false` instead of deletion. **Required Permissions** Your root key must have one of the following permissions: - `api.*.delete_key` (to delete keys in any API) - `api.<api_id>.delete_key` (to delete keys in a specific API)

Go (SDK)

package main

import(
	"context"
	"os"
	unkey "github.com/unkeyed/sdks/api/go/v2"
	"github.com/unkeyed/sdks/api/go/v2/models/components"
	"log"
)

func main() {
    ctx := context.Background()

    s := unkey.New(
        unkey.WithSecurity(os.Getenv("UNKEY_ROOT_KEY")),
    )

    res, err := s.Keys.CreateKey(ctx, components.V2KeysCreateKeyRequestBody{
        APIID: "api_1234abcd",
        Prefix: unkey.String("prod"),
        Name: unkey.String("Payment Service Production Key"),
        ByteLength: unkey.Int64(24),
        ExternalID: unkey.String("user_1234abcd"),
        Meta: map[string]any{
            "plan": "enterprise",
            "featureFlags": map[string]any{
                "betaAccess": true,
                "concurrentConnections": 10,
            },
            "customerName": "Acme Corp",
            "billing": map[string]any{
                "tier": "premium",
                "renewal": "2024-12-31",
            },
        },
        Roles: []string{
            "api_admin",
            "billing_reader",
        },
        Permissions: []string{
            "documents.read",
            "documents.write",
            "settings.view",
        },
        Expires: unkey.Int64(1704067200000),
        Credits: &components.KeyCreditsData{
            Remaining: unkey.Int64(1000),
            Refill: &components.KeyCreditsRefill{
                Interval: components.IntervalDaily,
                Amount: 1000,
                RefillDay: unkey.Int64(15),
            },
        },
        Ratelimits: []components.RatelimitRequest{
            components.RatelimitRequest{
                Name: "requests",
                Limit: 100,
                Duration: 60000,
                AutoApply: unkey.Bool(true),
            },
            components.RatelimitRequest{
                Name: "heavy_operations",
                Limit: 10,
                Duration: 3600000,
            },
        },
    })
    if err != nil {
        log.Fatal(err)
    }
    if res.V2KeysCreateKeyResponseBody != nil {
        // handle response
    }
}

{
  "meta": {
    "requestId": "req_123"
  },
  "data": {
    "keyId": "key_2cGKbMxRyIzhCxo1Idjz8q",
    "key": "prod_2cGKbMxRjIzhCxo1IdjH3arELti7Sdyc8w6XYbvtcyuBowPT"
  }
}

Introduction

Endpoints

Create API key

Authorizations

Body

Response