Skip to main content
POST
/
v2
/
keys.addPermissions
Go (SDK)
package main

import(
	"context"
	"os"
	unkey "github.com/unkeyed/sdks/api/go/v2"
	"github.com/unkeyed/sdks/api/go/v2/models/components"
	"log"
)

func main() {
    ctx := context.Background()

    s := unkey.New(
        unkey.WithSecurity(os.Getenv("UNKEY_ROOT_KEY")),
    )

    res, err := s.Keys.AddPermissions(ctx, components.V2KeysAddPermissionsRequestBody{
        KeyID: "key_2cGKbMxRyIzhCxo1Idjz8q",
        Permissions: []string{},
    })
    if err != nil {
        log.Fatal(err)
    }
    if res.V2KeysAddPermissionsResponseBody != nil {
        // handle response
    }
}
{
  "meta": {
    "requestId": "req_123"
  },
  "data": [
    {
      "id": "perm_1234567890abcdef",
      "name": "users.read",
      "slug": "users-read",
      "description": "Allows reading user profile information and account details"
    }
  ]
}

Authorizations

Authorization
string
header
required

Unkey uses API keys (root keys) for authentication. These keys authorize access to management operations in the API. To authenticate, include your root key in the Authorization header of each request:

Authorization: Bearer unkey_123

Root keys have specific permissions attached to them, controlling what operations they can perform. Key permissions follow a hierarchical structure with patterns like resource.resource_id.action (e.g., apis.*.create_key, apis.*.read_api). Security best practices:

  • Keep root keys secure and never expose them in client-side code
  • Use different root keys for different environments
  • Rotate keys periodically, especially after team member departures
  • Create keys with minimal necessary permissions following least privilege principle
  • Monitor key usage with audit logs.

Body

application/json
keyId
string
required

Specifies which key receives the additional permissions using the database identifier returned from keys.createKey. Do not confuse this with the actual API key string that users include in requests.

Required string length: 3 - 255
Example:

"key_2cGKbMxRyIzhCxo1Idjz8q"

permissions
string[]
required

Grants additional permissions to the key through direct assignment or automatic creation. Duplicate permissions are ignored automatically, making this operation idempotent.

Adding permissions never removes existing permissions or role-based permissions.

Any permissions that do not exist will be auto created if the root key has permissions, otherwise this operation will fail with a 403 error.

Required array length: 1 - 1000 elements

Specify the permission by its slug.

Minimum string length: 3

Response

Permissions added successfully. Returns all permissions currently assigned to the key.

meta
object
required

Metadata object included in every API response. This provides context about the request and is essential for debugging, audit trails, and support inquiries. The requestId is particularly important when troubleshooting issues with the Unkey support team.

data
object[]
required

Complete list of all permissions directly assigned to the key (including both newly added permissions and those that were already assigned).

This response includes:

  • All direct permissions assigned to the key (both pre-existing and newly added)
  • Both the permission ID and name for each permission

Important notes:

  • This list does NOT include permissions granted through roles
  • For a complete permission picture, use /v2/keys.getKey instead
  • An empty array indicates the key has no direct permissions assigned