keys

Reroll Key

Generate a new API key while preserving the configuration from an existing key.

This operation creates a fresh key with a new token while maintaining all settings from the original key:

Permissions and roles
Custom metadata
Rate limit configurations
Identity associations
Remaining credits
Recovery settings

Key Generation:

The system attempts to extract the prefix from the original key
If prefix extraction fails, the default API prefix is used
Key length follows the API’s default byte configuration (or 16 bytes if not specified)

Original Key Handling:

The original key will be revoked after the duration specified in expiration
Set expiration to 0 to revoke immediately
This allows for graceful key rotation with an overlap period

Common use cases include:

Rotating keys for security compliance
Issuing replacement keys for compromised credentials
Creating backup keys with identical permissions

Important: Analytics and usage metrics are tracked at both the key level AND identity level. If the original key has an identity, the new key will inherit it, allowing you to track usage across both individual keys and the overall identity.

Required Permissions

Your root key must have:

api.*.create_key or api.<api_id>.create_key
api.*.encrypt_key or api.<api_id>.encrypt_key (only when the original key is recoverable)

POST

keys.rerollKey

Go (SDK)

package main

import(
	"context"
	"os"
	unkey "github.com/unkeyed/sdks/api/go/v2"
	"github.com/unkeyed/sdks/api/go/v2/models/components"
	"log"
)

func main() {
    ctx := context.Background()

    s := unkey.New(
        unkey.WithSecurity(os.Getenv("UNKEY_ROOT_KEY")),
    )

    res, err := s.Keys.RerollKey(ctx, components.V2KeysRerollKeyRequestBody{
        KeyID: "key_2cGKbMxRyIzhCxo1Idjz8q",
        Expiration: 86400000,
    })
    if err != nil {
        log.Fatal(err)
    }
    if res.V2KeysRerollKeyResponseBody != nil {
        // handle response
    }
}

{
  "meta": {
    "requestId": "req_123"
  },
  "data": {
    "keyId": "key_2cGKbMxRyIzhCxo1Idjz8q",
    "key": "prod_2cGKbMxRjIzhCxo1IdjH3arELti7Sdyc8w6XYbvtcyuBowPT"
  }
}

Authorizations

Authorization

string

header

required

Unkey uses API keys (root keys) for authentication. These keys authorize access to management operations in the API. To authenticate, include your root key in the Authorization header of each request:

Authorization: Bearer unkey_123

Root keys have specific permissions attached to them, controlling what operations they can perform. Key permissions follow a hierarchical structure with patterns like resource.resource_id.action (e.g., apis.*.create_key, apis.*.read_api). Security best practices:

Keep root keys secure and never expose them in client-side code
Use different root keys for different environments
Rotate keys periodically, especially after team member departures
Create keys with minimal necessary permissions following least privilege principle
Monitor key usage with audit logs.

Body

application/json

keyId

string

required

The database identifier of the key to reroll.

This is the unique ID returned when creating or listing keys, NOT the actual API key token. You can find this ID in:

The response from keys.createKey
Key verification responses
The Unkey dashboard
API key listing endpoints

Required string length: 3 - 255

Example:

"key_2cGKbMxRyIzhCxo1Idjz8q"

expiration

integer

required

Duration in milliseconds until the ORIGINAL key is revoked, starting from now.

This parameter controls the overlap period for key rotation:

Set to 0 to revoke the original key immediately
Positive values keep the original key active for the specified duration
Allows graceful migration by giving users time to update their credentials

Common overlap periods:

Immediate revocation: 0
1 hour grace period: 3600000
24 hours grace period: 86400000
7 days grace period: 604800000
30 days grace period: 2592000000

Required range: 0 <= x <= 4102444800000

Example:

86400000

Response

Key rerolled successfully.

meta

object

required

Metadata object included in every API response. This provides context about the request and is essential for debugging, audit trails, and support inquiries. The requestId is particularly important when troubleshooting issues with the Unkey support team.

Show child attributes

data

object

required

Show child attributes

Set key permissionsReplace all permissions on a key with the specified set in a single atomic operation. Use this to synchronize with external systems, reset permissions to a known state, or apply standardized permission templates. Permissions granted through roles remain unchanged. **Important**: Changes take effect immediately with up to 30-second edge propagation. **Required Permissions** Your root key must have one of the following permissions: - `api.*.update_key` (to update keys in any API) - `api.<api_id>.update_key` (to update keys in a specific API) **Side Effects** Invalidates the key cache for immediate effect, and makes permission changes available for verification within 30 seconds across all regions.

Go (SDK)

package main

import(
	"context"
	"os"
	unkey "github.com/unkeyed/sdks/api/go/v2"
	"github.com/unkeyed/sdks/api/go/v2/models/components"
	"log"
)

func main() {
    ctx := context.Background()

    s := unkey.New(
        unkey.WithSecurity(os.Getenv("UNKEY_ROOT_KEY")),
    )

    res, err := s.Keys.RerollKey(ctx, components.V2KeysRerollKeyRequestBody{
        KeyID: "key_2cGKbMxRyIzhCxo1Idjz8q",
        Expiration: 86400000,
    })
    if err != nil {
        log.Fatal(err)
    }
    if res.V2KeysRerollKeyResponseBody != nil {
        // handle response
    }
}

{
  "meta": {
    "requestId": "req_123"
  },
  "data": {
    "keyId": "key_2cGKbMxRyIzhCxo1Idjz8q",
    "key": "prod_2cGKbMxRjIzhCxo1IdjH3arELti7Sdyc8w6XYbvtcyuBowPT"
  }
}

Introduction

Endpoints

Reroll Key

Authorizations

Body

Response