Unkey

unkey.com

Build better APIs faster

llms.txt

Unkey Docs

Unkey API development platform. Deploy and secure APIs instantly, route traffic through global gateways, and understand usage in one place.

Docs

Using Cursor with Unkey: Configure Cursor with Unkey documentation context to generate accurate key issuance, rate limiting, and verification code in your projects.
AI Code Gen with Unkey: Set up AI-powered code generation tools like Cursor, Windsurf, and the Unkey MCP server to build applications with Unkey APIs and SDKs faster.
Unkey MCP (Model Context Protocol): Use the Unkey MCP server to connect AI coding assistants to Unkey APIs. Manage API keys, rate limits, and permissions directly from your IDE.
Using Windsurf with Unkey: Set up Windsurf with Unkey documentation context to generate accurate API key verification, rate limiting, and authentication code in your apps.
Query key verification data: Execute custom SQL queries against your key verification analytics. For complete documentation including available tables, columns, data types, query examples, see the schema reference in the API documentation.
Create API namespace: Create an API namespace for organizing keys by environment, service, or product.
Delete API namespace: Permanently delete an API namespace and immediately invalidate all associated keys.
Get API namespace: Retrieve basic information about an API namespace including its ID and name.
List API keys: Retrieve a paginated list of API keys for dashboard and administrative interfaces.
Authentication: Authenticate your requests to the Unkey API using root keys passed as Bearer tokens in the Authorization header. Generate and manage root keys.
Create deployment: INTERNAL - This endpoint is internal and may change without notice. Not recommended for production use.
Get deployment: INTERNAL - This endpoint is internal and may change without notice. Not recommended for production use.
Error Handling: Handle Unkey API errors with structured error codes, HTTP status codes, and actionable messages. Includes retry strategies and examples.
Create Identity: Create an identity to group multiple API keys under a single entity. Identities enable shared rate limits and metadata across all associated keys.
Delete Identity: Permanently delete an identity. This operation cannot be undone.
Get Identity: Retrieve an identity by external ID. Returns metadata, rate limits, and other associated data.
List Identities: Get a paginated list of all identities in your workspace. Returns metadata and rate limit configurations.
Update Identity: Update an identity's metadata and rate limits. Only specified fields are modified - others remain unchanged.
Add key permissions: Add permissions to a key without affecting existing permissions.
Add key roles: Add roles to a key without affecting existing roles or permissions.
Create API key: Create a new API key for user authentication and authorization.
Delete API keys: Delete API keys permanently from user accounts or for cleanup purposes.
Get API key: Retrieve detailed key information for dashboard interfaces and administrative purposes.
Get API key by hash: Find out what key this is.
Migrate API key(s): Returns HTTP 200 even on partial success; hashes that could not be migrated are listed under data.failed.
Remove key permissions: Remove permissions from a key without affecting existing roles or other permissions.
Remove key roles: Remove roles from a key without affecting direct permissions or other roles.
Reroll Key: Generate a new API key while preserving the configuration from an existing key.
Set key permissions: Replace all permissions on a key with the specified set in a single atomic operation.
Set key roles: Replace all roles on a key with the specified set in a single atomic operation.
Update key credits: Update credit quotas in response to plan changes, billing cycles, or usage purchases.
Update key settings: Update key properties in response to plan changes, subscription updates, or account status changes.
Verify API key: Verify an API key's validity and permissions for request authentication.
Overview: Learn about the Unkey API design philosophy including RPC-style endpoints, consistent error handling, idempotent operations, and JSON responses.
Create permission: Create a new permission to define specific actions or capabilities in your RBAC system. Permissions can be assigned directly to API keys or included in roles.
Create role: Create a new role to group related permissions for easier management. Roles enable consistent permission assignment across multiple API keys.
Delete permission: Remove a permission from your workspace. This also removes the permission from all API keys and roles.
Delete role: Remove a role from your workspace. This also removes the role from all assigned API keys.
Get permission: Retrieve details about a specific permission including its name, description, and metadata.
Get role: Retrieve details about a specific role including its assigned permissions.
List permissions: Retrieve all permissions in your workspace. Results are paginated and sorted by their id.
List roles: Retrieve all roles in your workspace including their assigned permissions. Results are paginated and sorted by their id.
Create portal session: Create a short-lived session token for an end user to access the Customer Portal.
Exchange session token: Exchange a short-lived session token for a long-lived browser session.
Apply multiple rate limit checks: Check and enforce multiple rate limits in a single request for any identifiers (user IDs, IP addresses, API clients, etc.).
Apply rate limiting: Check and enforce rate limits for any identifier (user ID, IP address, API client, etc.).
Delete ratelimit override: Permanently remove a rate limit override. Affected identifiers immediately revert to the namespace default.
Get ratelimit override: Retrieve the configuration of a specific rate limit override by its identifier.
List ratelimit overrides: Retrieve a paginated list of all rate limit overrides in a namespace.
Set ratelimit override: Create or update a custom rate limit for specific identifiers, bypassing the namespace default.
RPC-Style API: Understand Unkey's RPC-style API design that uses action-oriented endpoints like verifyKey and createKey instead of REST resources.
Overview: Track every change to your API keys, permissions, and workspace configuration with Unkey audit logs. Filter by actor, event type, and time.
Event Types: Complete reference of all audit log event types in Unkey including key creation, deletion, verification, permission changes, and more.
Deploy with the CLI: Deploy a pre-built Docker image to Unkey with unkey deploy. Use from CI/CD pipelines, custom build systems, or your local machine.
CLI vs GitHub integration: Choose between deploying with unkey deploy and the GitHub integration. Understand the trade-offs in build control, automation, and CI/CD flexibility.
Deployment lifecycle: Understand the Unkey deployment lifecycle from queuing and building to deploying and domain assignment before your app serves traffic.
GitHub integration: Connect your GitHub repository for automatic deployments on every push. Configure branch mapping, fork protection, and deploy triggers.
Overview: Build, deploy, and serve your applications on Unkey infrastructure. Learn about the deployment pipeline, regions, and rollback options.
Regions: Deploy your application to multiple regions on Unkey and route traffic to the nearest location. Reduce latency with multi-region deployments.
Rollbacks & promotions: Revert to a previous deployment or promote a specific version to production with zero downtime. Manage rollbacks and promotions in Unkey.
Generate a Dockerfile with AI: Use this prompt with Claude Code, Cursor, or Windsurf to generate a Dockerfile and .dockerignore tuned for Unkey Deploy's runtime.
Builds: Learn how Unkey builds container images from your Dockerfile. Understand build caching, build arguments, and the container image pipeline.
get-verifications: Run custom SQL queries against your key verification analytics data using the Unkey CLI. Export results for billing, reporting, or debugging.
create-api: Create an API namespace in Unkey using the CLI. Organize your keys by environment, service, or product with a single terminal command.
delete-api: Permanently delete an API namespace and all its associated keys using the Unkey CLI. This action invalidates every key and cannot be undone.
get-api: Retrieve details about an API namespace using the Unkey CLI, including its ID, name, and associated workspace. Useful for scripting workflows.
list-keys: List all API keys in a namespace with the Unkey CLI. Retrieve paginated results including key IDs, metadata, and status for admin scripts.
login: Authenticate the Unkey CLI by storing your root key in a local configuration file. Run this command once to enable all CLI operations.
CLI authentication: Store your root key locally so the Unkey CLI authenticates automatically. Configure credentials once and run commands without manual tokens.
create-identity: Create an identity using the Unkey CLI to group multiple API keys under a single user, team, or organization entity in your workspace.
delete-identity: Permanently delete an identity using the Unkey CLI. Remove the entity and unlink all associated API keys for cleanup or compliance purposes.
get-identity: Retrieve an identity by external ID or internal ID using the Unkey CLI. View associated metadata, rate limits, and linked API key details.
list-identities: List all identities in your Unkey workspace using the CLI. Retrieve paginated results with metadata and linked key counts for each entity.
update-identity: Update an identity's metadata and rate limit configuration using the Unkey CLI. Modify entity properties without affecting linked API keys.
add-permissions: Add permissions to an API key using the Unkey CLI without removing existing permissions. Grant additional access rights with a single command.
add-roles: Add roles to an API key using the Unkey CLI without affecting existing roles or permissions. Expand access rights with a single command.
create-key: Create a new API key using the Unkey CLI with options for expiration, metadata, rate limits, roles, and permissions in a single command.
delete-key: Permanently delete an API key using the Unkey CLI. Revoke access immediately for compromised keys, user offboarding, or account cleanup.
get-key: Retrieve detailed information about an API key using the Unkey CLI including metadata, permissions, rate limits, and remaining credits.
migrate-keys: Migrate pre-hashed API keys from an existing provider into Unkey using the CLI. Import keys in bulk without invalidating user credentials.
remove-permissions: Remove specific permissions from an API key using the Unkey CLI without affecting other roles or permissions. Revoke granular access rights.
remove-roles: Remove specific roles from an API key using the Unkey CLI without affecting direct permissions or other assigned roles on the same key.
reroll-key: Generate a new API key string while preserving the existing key's configuration, permissions, and metadata using the Unkey CLI reroll command.
set-permissions: Replace all permissions on an API key with the Unkey CLI in a single atomic operation. Overwrite existing permissions with a new exact set.
set-roles: Replace all roles on an API key using the Unkey CLI in a single atomic operation. Overwrite existing role assignments with a new exact set.
update-credits: Update remaining credit quotas on an API key using the Unkey CLI. Adjust usage limits for plan changes, billing cycles, or purchased credits.
update-key: Update API key properties using the Unkey CLI. Change metadata, expiration, rate limits, remaining credits, or enabled status in one command.
verify-key: Verify an API key's validity and check permissions using the Unkey CLI. Test key verification locally before deploying authentication logic.
whoami: Look up API key details by providing the raw key string using the Unkey CLI whoami command. Identify which key ID a string belongs to.
CLI: Install and use the Unkey CLI to manage API keys, rate limits, permissions, and identities from your terminal. Supports all core operations.
create-permission: Create a new permission in your Unkey workspace using the CLI to define specific actions or capabilities for your RBAC authorization system.
create-role: Create a new role using the Unkey CLI to group related permissions together. Simplify access management by assigning roles instead of permissions.
delete-permission: Remove a permission from your Unkey workspace using the CLI. Delete unused permissions to keep your RBAC authorization model clean and current.
delete-role: Remove a role from your Unkey workspace using the CLI. Delete unused roles and automatically unlink them from all associated API keys.
get-permission: Retrieve details about a specific permission in your Unkey workspace using the CLI including its name, description, and creation date.
get-role: Retrieve details about a specific role using the Unkey CLI including its name, description, and list of assigned permissions for RBAC review.
list-permissions: List all permissions in your Unkey workspace using the CLI. View every permission defined in your RBAC system for auditing and management.
list-roles: List all roles in your Unkey workspace using the CLI, including their assigned permissions. Review your full RBAC configuration at a glance.
delete-override: Remove a rate limit override using the Unkey CLI so the affected identifier reverts to the namespace default. Clean up custom rate limits.
get-override: Retrieve the configuration of a rate limit override by identifier using the Unkey CLI. Inspect custom limits applied to specific users or keys.
limit: Check and enforce a rate limit for any identifier using the Unkey CLI. Test rate limiting behavior locally before deploying to production.
list-overrides: List all rate limit overrides in a namespace using the Unkey CLI. View paginated results of custom limits applied to specific identifiers.
multi-limit: Check and enforce multiple rate limits in a single request using the Unkey CLI. Apply concurrent limits for different scopes or time windows.
set-override: Create or update a custom rate limit override for a specific identifier using the Unkey CLI. Bypass namespace defaults for individual users.
Cloudflare Workers: Authenticate API keys in Cloudflare Workers with Unkey. A copy-paste recipe for low-latency, edge-based key verification using @unkey/api.
Endpoint-Specific Rate Limits: Apply different rate limits to different API endpoints using Unkey. Configure per-route limits with separate quotas for reads and writes.
Express Middleware: Build a reusable Express middleware for Unkey API key authentication. Verify keys automatically on every request with error handling.
FastAPI Authentication: Implement API key authentication in FastAPI using Unkey with a dependency injection pattern. Protect endpoints with automatic key verification.
Echo Framework Middleware: Build production-ready API key authentication middleware for the Go Echo framework using Unkey. Verify keys on every incoming request.
Gin Framework Middleware: Build production-ready API key authentication middleware for the Go Gin framework using Unkey. Verify keys with automatic error handling.
Go Standard Library Middleware: Build production-ready API key authentication middleware for Go's standard library net/http using Unkey. No external framework required.
Next.js API Routes: Protect your Next.js API routes with Unkey API key authentication. Copy-paste recipe for verifying keys in App Router route handlers.
Per-User Rate Limits: Apply different rate limits based on user subscription tiers using Unkey. Give free, pro, and enterprise users separate request quotas.
Tiered Subscriptions: Implement Free, Pro, and Enterprise subscription tiers with Unkey. Set different API key limits, rate limits, and permissions per plan.
Usage-Based Billing: Track API usage per customer for metered billing with Unkey. Use the remaining credits feature to count requests and enforce usage caps.
Environments: Configure isolated deployment environments in Unkey to separate production traffic from preview and staging builds with scoped settings.
Error Codes: Understand Unkey's structured error code system with categories for authentication, authorization, data, and application errors with fix guidance.
assertion_failed: A runtime assertion or invariant check failed in Unkey. Learn what causes this internal error and how to report it if you encounter it.
invalid_input: The client provided input that failed server-side validation. Review the error details to fix malformed fields, missing values, or bad types.
precondition_failed: A precondition check failed before the operation could proceed. Learn common causes like conflicting state or unmet resource requirements.
protected_resource: You attempted to modify or delete a resource with delete protection enabled. Disable protection in the dashboard before retrying the operation.
service_unavailable: An Unkey service is temporarily unavailable. Learn about automatic retries, backoff strategies, and how to check Unkey's system status page.
unexpected_error: An unhandled or unexpected error occurred in Unkey. Learn how to report this issue and what information to include for faster resolution.
key_not_found: The authentication key was not found in the Unkey database. This occurs when a key has been deleted, expired, or was never created. Verify the key.
malformed: Authentication credentials were incorrectly formatted. Check that your Bearer token or API key header follows the expected format for Unkey.
missing: Authentication credentials were not provided in the request. Add your root key as a Bearer token in the Authorization header for Unkey API calls.
portal_session_not_found: The provided portal session was not found, has expired, or has already been exchanged. Create a new session from your backend and redirect the user again.
portal_token_missing: A request to a portal-authenticated endpoint was made without a portal session token. Provide the session cookie or session header from the portal.
forbidden: The requested operation is not allowed for this entity in Unkey. Check your root key permissions or workspace access level and try again.
insufficient_permissions: The authenticated entity lacks sufficient permissions for the requested Unkey API operation. Add the required root key permission and retry.
key_disabled: The API key used for authentication is currently disabled in Unkey. Re-enable the key in the dashboard or create a new key to restore access.
workspace_disabled: The workspace associated with this request is disabled in Unkey. Contact support or check your billing status to restore workspace access.
analytics_connection_failed: The connection to the Unkey analytics database failed. Learn about retry strategies, timeout settings, and how to check analytics service status.
analytics_not_configured: Analytics is not configured for this workspace in Unkey. Request access to the analytics feature and ensure your workspace plan supports queries.
api_not_found: The requested API namespace was not found in Unkey. Verify the API ID is correct, the API exists in your workspace, and has not been deleted.
audit_log_not_found: The requested audit log entry was not found in Unkey. Verify the audit log ID is correct, and that the entry exists within your retention period.
identity_already_exists: An identity with this external ID already exists in your Unkey workspace. Use the existing identity or choose a different unique external ID.
identity_not_found: The requested identity was not found in Unkey. Verify the identity ID or external ID is correct and the identity exists in your workspace.
key_auth_not_found: The requested key authentication namespace was not found in Unkey. Verify the key auth ID is correct and exists within your workspace config.
key_not_found: The requested API key was not found in Unkey. Verify the key ID is correct, the key has not been deleted, and it belongs to your workspace.
key_space_not_found: The requested key space was not found in Unkey. Verify the key space ID is correct and that it exists within your workspace configuration.
migration_not_found: The requested key migration was not found in Unkey. Verify the migration ID is correct and the migration exists within your current workspace.
permission_already_exists: A permission with this slug already exists in your Unkey workspace. Use the existing permission or choose a different unique slug for the new one.
permission_not_found: The requested permission was not found in Unkey. Verify the permission ID is correct and it exists within your workspace's RBAC configuration.
portal_config_not_found: No portal configuration matched the provided slug for your workspace. Verify the slug or contact Unkey to provision a portal configuration.
project_not_found: The requested project was not found in Unkey. Verify the project ID is correct and that the project exists within your current workspace.
Ratelimit Namespace Gone: Returned when you reference a rate limit namespace that was previously deleted. Learn why this 410 Gone error occurs and how to resolve it.
ratelimit_namespace_not_found: The requested rate limit namespace was not found in Unkey. Verify the namespace ID or name is correct and the namespace has not been deleted.
ratelimit_override_not_found: The requested rate limit override was not found in Unkey. Verify the override identifier and namespace are correct and the override exists.
role_already_exists: A role with this name already exists in your Unkey workspace. Use the existing role or choose a different unique name when creating a new one.
role_not_found: The requested role was not found in Unkey. Verify the role ID is correct and the role has not been deleted from your workspace RBAC config.
workspace_not_found: The requested workspace was not found in Unkey. Verify the workspace ID is correct in your root key and that your workspace has not been deleted.
client_closed_request: The client cancelled the request before the Unkey server could finish processing. Learn about connection timeouts and how to increase them.
invalid_analytics_function: Your analytics query uses a SQL function not allowed for security reasons in Unkey. Review the list of supported aggregate and scalar functions.
invalid_analytics_query: Your SQL analytics query has a syntax error in Unkey. Review your query for typos, missing clauses, or invalid column names and try again.
invalid_analytics_query_type: Only SELECT queries are allowed for Unkey analytics. You attempted an INSERT, UPDATE, DELETE, or other unsupported write operation.
invalid_analytics_table: Your analytics query references a table that does not exist or is not accessible in Unkey. Check available tables in the schema reference.
missing_required_header: A required HTTP header is missing from your Unkey API request. Check the API reference for required headers like Authorization and Content-Type.
permissions_query_syntax_error: Your verifyKey permissions query contains invalid syntax or unsupported characters. Review the permissions query format and fix the expression.
query_range_exceeds_retention: Your query requests data older than your workspace's retention period in Unkey. Narrow the time range to stay within your plan's limits.
request_body_too_large: The request body exceeds the maximum allowed size limit for the Unkey API. Reduce your payload size or paginate large batch operations.
request_body_unreadable: The request body could not be read due to malformed JSON, encoding issues, or a dropped connection. Validate your payload format and retry.
request_timeout: The request exceeded the Unkey server timeout before processing could complete. Simplify your request, reduce payload size, or retry later.
query_quota_exceeded: You have exceeded your workspace's analytics query quota for the current time window in Unkey. Wait for the quota to reset or upgrade your plan.
workspace_rate_limited: Your workspace has exceeded the Unkey API rate limit for the current time window. Implement backoff and retry logic or upgrade your plan.
query_execution_timeout: Your analytics query exceeded the maximum execution time allowed by Unkey. Simplify the query, reduce the time range, or add filters.
query_memory_limit_exceeded: Your analytics query consumed more memory than Unkey allows. Reduce the result set size by narrowing filters, limiting rows, or simplifying joins.
query_rows_limit_exceeded: Your analytics query attempted to scan more rows than the Unkey limit allows. Add time range filters or WHERE clauses to reduce the scan scope.
Glossary: Definitions of key terms and concepts used throughout the Unkey platform including workspaces, keyspaces, keys, identities, rate limiting, and root keys.
What is Unkey?: Unkey is a globally distributed API platform that ships a Dockerfile to production with built-in key issuance, rate limiting, and analytics.
unkey-go: Reference for the unkey-go SDK. Create, verify, update, and revoke API keys programmatically from your Go applications and microservices.
Overview: Complete guide to using the Unkey Go SDK for issuing keys, verifying requests, and rate limiting in your Go applications and services.
Nuxt Module: Integrate Unkey API key authentication into your Nuxt application with the official Nuxt module. Protect server routes and API endpoints.
unkey.py: Reference for the unkey.py Python SDK. Create, verify, update, and revoke API keys programmatically from your Python application or service.
Overview: Complete guide to using the Unkey Python SDK for issuing keys, verifying requests, and rate limiting in your Python applications and APIs.
@unkey/api: Reference for the @unkey/api TypeScript SDK. Create, verify, update, and revoke API keys programmatically from your Node.js application.
@unkey/cache: Use @unkey/cache for type-safe, multi-tier caching in TypeScript. Compose memory, Cloudflare, and custom stores with automatic tiering.
@unkey/hono: Use the @unkey/hono middleware to authenticate API keys in your Hono.js application. Automatic key verification with typed context injection.
@unkey/nextjs: Use the @unkey/nextjs SDK to protect Next.js API routes and server actions with Unkey API key authentication. Includes withUnkey wrapper.
Overview: Complete guide to Unkey's TypeScript and JavaScript SDKs including @unkey/api, @unkey/hono, @unkey/nextjs, @unkey/cache, and @unkey/ratelimit.
Delete Override: Delete a rate limit override for a specific identifier using the @unkey/ratelimit SDK. Revert the identifier to namespace default limits.
Get Override: Retrieve the configuration of a specific rate limit override by identifier using the @unkey/ratelimit SDK. Check current custom limits.
List Overrides: List all rate limit overrides in a namespace using the @unkey/ratelimit SDK. Retrieve paginated results of custom limits for identifiers.
Rate Limit Overrides: Set custom rate limit overrides for specific identifiers using @unkey/ratelimit. Grant higher or lower limits per user, key, or tenant.
Set Override: Create or update a rate limit override for a specific identifier using the @unkey/ratelimit SDK. Bypass namespace defaults per user or key.
Ratelimit: Use the @unkey/ratelimit TypeScript SDK to add fast, globally distributed rate limiting to Node.js, Bun, Deno, and Cloudflare Workers — no Redis required.
Custom domains: Attach your own custom domain names to route production traffic to your Unkey deployments. Configure DNS records and TLS certificates.
Private networking: Enable secure service-to-service communication within your Unkey project using private networking. Route internal traffic without exposure.
Request lifecycle: Trace the full request lifecycle from when a request hits your URL through Sentinel policies, routing, and load balancing to your app.
WebSockets: Deploy WebSocket servers on Unkey with long-lived connections, no request timeouts, and Sentinel auth and rate limits applied to the upgrade.
Wildcard domains: Every Unkey deployment receives a wildcard *.unkey.app domain automatically. Access any deployment instantly without manual DNS setup.
Logs: View and filter runtime logs from your Unkey deployments. Search application output, debug errors, and monitor container stdout and stderr.
Metrics: Track requests per second, latency percentiles, and runtime resource usage for each Unkey deployment. Monitor performance with built-in metric charts.
Observability: Monitor your Unkey deployments with built-in observability tools including HTTP request logs, runtime application logs, and performance metrics.
Requests: Inspect every HTTP request passing through the Sentinel to your deployment. View headers, status codes, latency, and request body details.
Getting Started: Request access to Unkey Analytics and run your first SQL query against key verification data. Set up credentials and explore your data.
Overview: Query your API key verification data with SQL using Unkey Analytics. Run custom queries to analyze usage patterns, billing, and trends.
Query Examples: Common SQL query patterns for Unkey Analytics including daily verification counts, per-key usage, billing aggregations, and error rates.
Query Restrictions: Understand the limits, quotas, and permission requirements for running analytics queries in Unkey including row limits and time ranges.
Quick Reference: Quick lookup for common Unkey Analytics SQL patterns, available tables, aggregate functions, and filtering syntax for verification data.
Schema Reference: Complete reference of tables, columns, and data types available in Unkey Analytics. Explore the verification and key event data schemas.
Troubleshooting: Troubleshoot common Unkey Analytics issues including query timeouts, permission errors, missing data, memory limits, and syntax errors.
Example: Walk through a realistic RBAC example showing how to define roles, assign permissions to API keys, and verify access in your application.
Authorization Overview: Control what each API key can access using role-based access control (RBAC). Assign roles and fine-grained permissions to your keys.
Roles and Permissions: Create and manage RBAC roles and permissions in Unkey to control what each API key can access. Assign roles via dashboard, API, or SDK.
Verifying Permissions: Verify that an API key has the required permissions during key verification. Use permission queries to enforce fine-grained access control.
Disabling Keys: Temporarily disable API keys without deleting them. Disabled keys fail verification immediately and can be re-enabled at any time in Unkey.
Environments: Separate your API keys into live and test environments in Unkey. Isolate production traffic from development with environment-scoped keys.
Key Rate Limits: Attach rate limits directly to individual API keys in Unkey. Configure request limits, refill intervals, and burst allowances per key.
Auto-Refill: Automatically restore usage credits for API keys on a daily or monthly schedule. Configure auto-refill amounts and intervals in Unkey.
Usage Limits (Credits): Set usage limits on API keys to cap the total number of requests. Unkey automatically enforces credit-based quotas and blocks excess usage.
Key Rerolling: Rotate API keys in Unkey while preserving their configuration, permissions, and metadata. Set grace periods for seamless key transitions.
Key Revocation: Revoke API keys instantly by deleting or disabling them in Unkey. Revoked keys fail verification immediately with no propagation delay.
Temporary Keys: Create temporary API keys that automatically expire after a set duration. Use expiring keys for trials, short-lived sessions, or demos.
IP Whitelisting: Restrict API key usage to specific IP addresses or CIDR ranges. Add an IP whitelist to keys for network-level access control in Unkey.
API Keys: Issue, verify, and manage API keys at any scale with Unkey. Explore key creation, verification, rotation, and access control features.
Keys: API keys are credentials your users include in requests. Unkey handles creation, verification, rotation, revocation, and metadata.
Overview: Migrate your existing API keys to Unkey without downtime or user disruption. Import pre-hashed keys and preserve your current key format.
Migrate keys to Unkey: Follow this step-by-step guide to import existing API keys into an Unkey keyspace. Migrate pre-hashed keys from any provider while keeping them valid.
Keyspaces: A keyspace in Unkey groups related keys, configuration, and analytics. Learn how to create and manage keyspaces within your workspace.
Apps: An app is a deployable service within an Unkey project. Each app has its own environments, build configuration, runtime settings, and domain routing.
App settings: Configure build, runtime, and advanced settings for an app. Settings are scoped per environment and take effect on the next deployment.
Overview: Group multiple API keys under a single identity like a user, team, or organization. Manage shared configuration and rate limits in Unkey.
Shared Rate Limits: Share rate limits across multiple API keys using Unkey identities. Enforce a single quota for all keys belonging to the same entity.
Instances: Understand instances in Unkey, running container replicas of your app deployed to specific regions with automatic scaling and routing.
Projects: A project in Unkey organizes deployments, environments, and configuration for a single codebase. Learn how to create and manage them.
Settings: Configure project settings in Unkey including build commands, environment variables, domains, and production branch per app and environment.
Automated Overrides: Manage rate limit overrides programmatically through the Unkey API or SDK. Automate dynamic limits based on user plans or usage tiers.
How rate limiting works: Learn how Unkey's distributed rate limiting works, what response fields mean, and what consistency to expect across regions.
Overview: Protect any API endpoint from abuse with Unkey's distributed rate limiting. No infrastructure required, just a single API call.
Custom Overrides: Create custom rate limit overrides for specific users or identifiers in Unkey. Grant higher or lower limits without changing your code.
Overview: Create and manage root keys for programmatic access to the Unkey API. Root keys authenticate CLI tools, SDKs, and server-side requests.
Permissions: Complete reference of all root key permissions in Unkey. Control which API operations each root key can perform across your workspace.
Overview: Learn how the Sentinel reverse proxy authenticates incoming requests and forwards verified identity information to your application.
Sentinel: A Sentinel is a reverse proxy that sits in front of your deployment, enforcing policies on every request before it reaches your app.
API key authentication: Configure the Sentinel to verify Unkey API keys on incoming requests and forward the authenticated identity and metadata to your app.
Firewall: Block unwanted HTTP requests before they reach your app using Sentinel firewall rules. Filter traffic by path, method, header, or query parameter.
Logging: Enable request and response logging through the Sentinel for debugging and observability. Record full HTTP headers, bodies, and metadata.
OpenAPI validation: Validate incoming HTTP requests against your OpenAPI specification using the Sentinel. Reject malformed requests before they reach your app.
Policies: Policies are configurable rules the Sentinel evaluates on every request. Combine authentication, rate limiting, IP rules, and more.
Rate limiting: Enforce rate limits on matching routes using the Sentinel reverse proxy. Configure limits per route pattern with no application code changes.
Framework examples: Code examples for reading the Sentinel Principal object in Hono, Next.js, Express, and Go. Parse the forwarded identity in your framework.
Local development: Test your application's Principal header handling locally without running a Sentinel. Mock the identity object for local development and testing.
Principal: The Principal is the verified identity object the Sentinel produces after authentication and forwards to your application via headers.
API key: Reference for Principal fields produced by Sentinel API key authentication including key ID, owner, permissions, and custom metadata.
Variables: Manage encrypted environment variables in Unkey. Inject key-value pairs into your app at runtime, scoped by environment for each deploy.
Billing: Manage your Unkey workspace billing, subscription plans, payment methods, and invoices. View usage and upgrade or downgrade your plan.
Overview: A workspace is the top-level container in Unkey that holds your projects, apps, API keys, billing, and team member access controls.
Limits: Review the default limits enforced on your Unkey workspace including API key count, rate limit namespaces, and monthly active key caps.
Settings: Configure your Unkey workspace name, manage team members, rotate root keys, and update billing settings from the workspace dashboard.
Team members: Invite team members to your Unkey workspace, assign roles, and manage access permissions. Control who can view and modify your resources.
Bun: Add API key authentication to your Bun server with Unkey. Verify keys on each request to protect your endpoints in a few lines of code.
Express: Add API key authentication to your Express API using Unkey. Protect routes by verifying keys on every incoming request with minimal setup.
Go: Add API key authentication to your Go application using the Unkey Go SDK. Verify keys on each request to protect your API endpoints.
Hono: Add API key authentication to your Hono application using Unkey middleware. Protect routes with automatic key verification on requests.
Next.js: Add API key authentication to your Next.js API routes using Unkey. Verify keys in route handlers to protect your server-side endpoints.
Python: Add API key authentication to your Python application with the Unkey Python SDK. Verify keys on each request to secure your API routes.
Deploy your first app: Deploy your first application on Unkey from a GitHub repository. Connect your repo, configure build settings, and go live in minutes.
Shared Rate Limits: Create your first identity in Unkey and attach shared rate limits across multiple API keys. Group keys by user, team, or organization.
Customer Portal: Give your end users a white-labeled self-service portal for API key management, usage analytics, and docs, with a Stripe-style session auth flow.
Quickstart: Get started with Unkey in under 5 minutes. Create a keyspace, issue your first API key, and verify it with a simple HTTP request.
Bun: Step-by-step Bun rate limiting tutorial using @unkey/ratelimit. Build a Bun HTTP server that throttles abusive clients with no Redis required.
Express: Step-by-step Express.js rate limiting tutorial with @unkey/ratelimit. Set per-route limits, return 429 responses, and skip the Redis dependency.
Hono: Step-by-step Hono rate limiting tutorial with @unkey/ratelimit. Protect routes on Node.js, Bun, or Cloudflare Workers without running Redis.
Next.js: Step-by-step Next.js rate limiting tutorial with @unkey/ratelimit. Throttle API routes and return 429 responses without provisioning Redis.
Delete Protection: Enable delete protection on Unkey resources to prevent accidental deletion. Protected resources require you to disable protection before removal.
GitHub Secret Scanning: Unkey partners with GitHub Secret Scanning to detect leaked root keys in public repositories. Learn how automatic revocation keeps you safe.
Overview: Learn how Unkey protects your API keys and data with encryption at rest, secure key hashing, workspace isolation, and access controls.
Recovering Keys: Understand how Unkey handles key visibility after creation. Learn about key hashing, why keys cannot be shown again, and recovery options.