POST
/
v2
/
keys.getKey
Go (SDK)
package main

import(
	"context"
	"os"
	unkey "github.com/unkeyed/sdks/api/go/v2"
	"github.com/unkeyed/sdks/api/go/v2/models/components"
	"log"
)

func main() {
    ctx := context.Background()

    s := unkey.New(
        unkey.WithSecurity(os.Getenv("UNKEY_ROOT_KEY")),
    )

    res, err := s.Keys.GetKey(ctx, components.V2KeysGetKeyRequestBody{
        KeyID: "key_1234abcd",
    })
    if err != nil {
        log.Fatal(err)
    }
    if res.V2KeysGetKeyResponseBody != nil {
        // handle response
    }
}
{
  "meta": {
    "requestId": "req_123"
  },
  "data": {
    "keyId": "key_1234567890abcdef",
    "start": "sk_test_abc123",
    "enabled": true,
    "name": "Production API Key",
    "meta": null,
    "createdAt": 1701425400000,
    "updatedAt": 1701425400000,
    "expires": 1735689600000,
    "permissions": [
      "documents.read",
      "documents.write"
    ],
    "roles": [
      "editor",
      "viewer"
    ],
    "credits": {
      "remaining": 1000,
      "refill": {
        "interval": "daily",
        "amount": 1000,
        "refillDay": 15
      }
    },
    "identity": {
      "id": "<string>",
      "externalId": "<string>",
      "meta": {},
      "ratelimits": [
        {
          "id": "rl_1234567890abcdef",
          "name": "api_requests",
          "limit": 1000,
          "duration": 3600000,
          "autoApply": true
        }
      ]
    },
    "plaintext": "sk_test_abc123def456",
    "ratelimits": [
      {
        "id": "rl_1234567890abcdef",
        "name": "api_requests",
        "limit": 1000,
        "duration": 3600000,
        "autoApply": true
      }
    ]
  }
}

Authorizations

Authorization
string
header
required

Unkey uses API keys (root keys) for authentication. These keys authorize access to management operations in the API. To authenticate, include your root key in the Authorization header of each request:

Authorization: Bearer unkey_123

Root keys have specific permissions attached to them, controlling what operations they can perform. Key permissions follow a hierarchical structure with patterns like resource.resource_id.action (e.g., apis.*.create_key, apis.*.read_api). Security best practices:

  • Keep root keys secure and never expose them in client-side code
  • Use different root keys for different environments
  • Rotate keys periodically, especially after team member departures
  • Create keys with minimal necessary permissions following least privilege principle
  • Monitor key usage with audit logs.

Body

application/json
keyId
string
required

Specifies which key to retrieve using the database identifier returned from keys.createKey. Do not confuse this with the actual API key string that users include in requests. Key data includes metadata, permissions, usage statistics, and configuration but never the plaintext key value unless decrypt=true. Find this ID in creation responses, key listings, dashboard, or verification responses.

Required string length: 3 - 255
Example:

"key_1234abcd"

decrypt
boolean
default:false

Controls whether to include the plaintext key value in the response for recovery purposes. Only works for keys created with recoverable=true and requires the decrypt_key permission. Returned keys must be handled securely, never logged, cached, or stored insecurely.

Use only for legitimate recovery scenarios like user password resets or emergency access. Most applications should keep this false to maintain security best practices and avoid accidental key exposure. Decryption requests are audited and may trigger security alerts in enterprise environments.

Response

Successfully retrieved key information. When decrypt: true, includes plaintext key value for recoverable keys.

meta
object
required

Metadata object included in every API response. This provides context about the request and is essential for debugging, audit trails, and support inquiries. The requestId is particularly important when troubleshooting issues with the Unkey support team.

data
object
required