POST
/
v2
/
keys.addRoles
Go (SDK)
package main

import(
	"context"
	"os"
	unkey "github.com/unkeyed/sdks/api/go/v2"
	"github.com/unkeyed/sdks/api/go/v2/models/components"
	"log"
)

func main() {
    ctx := context.Background()

    s := unkey.New(
        unkey.WithSecurity(os.Getenv("UNKEY_ROOT_KEY")),
    )

    res, err := s.Keys.AddRoles(ctx, components.V2KeysAddRolesRequestBody{
        KeyID: "key_2cGKbMxRyIzhCxo1Idjz8q",
        Roles: []string{
            "<value 1>",
        },
    })
    if err != nil {
        log.Fatal(err)
    }
    if res.V2KeysAddRolesResponseBody != nil {
        // handle response
    }
}
{
  "meta": {
    "requestId": "req_123"
  },
  "data": [
    {
      "id": "role_1234567890abcdef",
      "name": "support.readonly",
      "description": "Provides read-only access for customer support representatives to view user accounts and support tickets",
      "permissions": [
        {
          "id": "perm_1234567890abcdef",
          "name": "users.read",
          "slug": "users-read",
          "description": "Allows reading user profile information and account details"
        }
      ]
    }
  ]
}

Authorizations

Authorization
string
header
required

Unkey uses API keys (root keys) for authentication. These keys authorize access to management operations in the API. To authenticate, include your root key in the Authorization header of each request:

Authorization: Bearer unkey_123

Root keys have specific permissions attached to them, controlling what operations they can perform. Key permissions follow a hierarchical structure with patterns like resource.resource_id.action (e.g., apis.*.create_key, apis.*.read_api). Security best practices:

  • Keep root keys secure and never expose them in client-side code
  • Use different root keys for different environments
  • Rotate keys periodically, especially after team member departures
  • Create keys with minimal necessary permissions following least privilege principle
  • Monitor key usage with audit logs.

Body

application/json
keyId
string
required

Specifies which key receives the additional roles using the database identifier returned from createKey. Do not confuse this with the actual API key string that users include in requests. Added roles supplement existing roles and permissions without replacing them. Role assignments take effect immediately but may take up to 30 seconds to propagate across all regions.

Required string length: 3 - 255
Example:

"key_2cGKbMxRyIzhCxo1Idjz8q"

roles
string[]
required

Assigns additional roles to the key through direct assignment to existing workspace roles. Operations are idempotent - adding existing roles has no effect and causes no errors.

All roles must already exist in the workspace - roles cannot be created automatically. Invalid roles cause the entire operation to fail atomically, ensuring consistent state.

Required array length: 1 - 100 elements

Specify the role by name.

Response

Roles added successfully. Returns all roles currently assigned to the key.

meta
object
required

Metadata object included in every API response. This provides context about the request and is essential for debugging, audit trails, and support inquiries. The requestId is particularly important when troubleshooting issues with the Unkey support team.

data
object[]
required

Complete list of all roles directly assigned to the key after the operation completes.

The response includes:

  • All roles now assigned to the key (both pre-existing and newly added)
  • Both ID and name of each role for easy reference

Important notes:

  • The response shows the complete current state after the addition
  • An empty array means the key has no roles assigned (unlikely after an add operation)
  • This only shows direct role assignments, not inherited or nested roles
  • Role permissions are not expanded in this response - use keys.getKey for full details