keys

Set key permissions

Replace all permissions on a key with the specified set in a single atomic operation.

Use this to synchronize with external systems, reset permissions to a known state, or apply standardized permission templates. Permissions granted through roles remain unchanged.

Important: Changes take effect immediately with up to 30-second edge propagation.

Required Permissions

Your root key must have one of the following permissions:

api.*.update_key (to update keys in any API)
api.<api_id>.update_key (to update keys in a specific API)

Side Effects

Invalidates the key cache for immediate effect, and makes permission changes available for verification within 30 seconds across all regions.

POST

keys.setPermissions

Go (SDK)

package main

import(
	"context"
	"os"
	unkey "github.com/unkeyed/sdks/api/go/v2"
	"github.com/unkeyed/sdks/api/go/v2/models/components"
	"log"
)

func main() {
    ctx := context.Background()

    s := unkey.New(
        unkey.WithSecurity(os.Getenv("UNKEY_ROOT_KEY")),
    )

    res, err := s.Keys.SetPermissions(ctx, components.V2KeysSetPermissionsRequestBody{
        KeyID: "key_2cGKbMxRyIzhCxo1Idjz8q",
        Permissions: []string{
            "<value 1>",
        },
    })
    if err != nil {
        log.Fatal(err)
    }
    if res.V2KeysSetPermissionsResponseBody != nil {
        // handle response
    }
}

{
  "meta": {
    "requestId": "req_123"
  },
  "data": [
    {
      "id": "perm_1234567890abcdef",
      "name": "users.read",
      "slug": "users-read",
      "description": "Allows reading user profile information and account details"
    }
  ]
}

Authorizations

Authorization

string

header

required

Unkey uses API keys (root keys) for authentication. These keys authorize access to management operations in the API. To authenticate, include your root key in the Authorization header of each request:

Authorization: Bearer unkey_123

Root keys have specific permissions attached to them, controlling what operations they can perform. Key permissions follow a hierarchical structure with patterns like resource.resource_id.action (e.g., apis.*.create_key, apis.*.read_api). Security best practices:

Keep root keys secure and never expose them in client-side code
Use different root keys for different environments
Rotate keys periodically, especially after team member departures
Create keys with minimal necessary permissions following least privilege principle
Monitor key usage with audit logs.

Body

application/json

keyId

string

required

Specifies which key receives the additional permissions using the database identifier returned from keys.createKey. Do not confuse this with the actual API key string that users include in requests.

Required string length: 3 - 255

Example:

"key_2cGKbMxRyIzhCxo1Idjz8q"

permissions

string[]

required

The permissions to set for this key.

This is a complete replacement operation - it overwrites all existing direct permissions with this new set.

Key behaviors:

Providing an empty array removes all direct permissions from the key
This only affects direct permissions - permissions granted through roles are not affected
All existing direct permissions not included in this list will be removed

Any permissions that do not exist will be auto created if the root key has permissions, otherwise this operation will fail with a 403 error.

Specify the permission by its slug.

Response

Permissions set successfully. Returns all permissions currently assigned to the key.

meta

object

required

Metadata object included in every API response. This provides context about the request and is essential for debugging, audit trails, and support inquiries. The requestId is particularly important when troubleshooting issues with the Unkey support team.

Show child attributes

data

object[]

required

Complete list of all permissions now directly assigned to the key after the set operation has completed.

The response includes:

The comprehensive, updated set of direct permissions (reflecting the complete replacement)
Both ID and name for each permission for easy reference

Important notes:

This only shows direct permissions, not those granted through roles
An empty array means the key has no direct permissions assigned
For a complete permission picture including roles, use keys.getKey instead

Show child attributes

Set key rolesReplace all roles on a key with the specified set in a single atomic operation. Use this to synchronize with external systems, reset roles to a known state, or apply standardized role templates. Direct permissions are never affected. **Important**: Changes take effect immediately with up to 30-second edge propagation. **Required Permissions** Your root key must have one of the following permissions: - `api.*.update_key` (to update keys in any API) - `api.<api_id>.update_key` (to update keys in a specific API) **Side Effects** Invalidates the key cache for immediate effect, and makes role changes available for verification within 30 seconds across all regions.

Go (SDK)

package main

import(
	"context"
	"os"
	unkey "github.com/unkeyed/sdks/api/go/v2"
	"github.com/unkeyed/sdks/api/go/v2/models/components"
	"log"
)

func main() {
    ctx := context.Background()

    s := unkey.New(
        unkey.WithSecurity(os.Getenv("UNKEY_ROOT_KEY")),
    )

    res, err := s.Keys.SetPermissions(ctx, components.V2KeysSetPermissionsRequestBody{
        KeyID: "key_2cGKbMxRyIzhCxo1Idjz8q",
        Permissions: []string{
            "<value 1>",
        },
    })
    if err != nil {
        log.Fatal(err)
    }
    if res.V2KeysSetPermissionsResponseBody != nil {
        // handle response
    }
}

{
  "meta": {
    "requestId": "req_123"
  },
  "data": [
    {
      "id": "perm_1234567890abcdef",
      "name": "users.read",
      "slug": "users-read",
      "description": "Allows reading user profile information and account details"
    }
  ]
}

Introduction

Endpoints

Set key permissions

Authorizations

Body

Response