keys

Set key roles

Replace all roles on a key with the specified set in a single atomic operation.

Use this to synchronize with external systems, reset roles to a known state, or apply standardized role templates. Direct permissions are never affected.

Important: Changes take effect immediately with up to 30-second edge propagation.

Required Permissions

Your root key must have one of the following permissions:

api.*.update_key (to update keys in any API)
api.<api_id>.update_key (to update keys in a specific API)

Side Effects

Invalidates the key cache for immediate effect, and makes role changes available for verification within 30 seconds across all regions.

POST

keys.setRoles

Go (SDK)

package main

import(
	"context"
	"os"
	unkey "github.com/unkeyed/sdks/api/go/v2"
	"github.com/unkeyed/sdks/api/go/v2/models/components"
	"log"
)

func main() {
    ctx := context.Background()

    s := unkey.New(
        unkey.WithSecurity(os.Getenv("UNKEY_ROOT_KEY")),
    )

    res, err := s.Keys.SetRoles(ctx, components.V2KeysSetRolesRequestBody{
        KeyID: "key_2cGKbMxRyIzhCxo1Idjz8q",
        Roles: []string{
            "<value 1>",
            "<value 2>",
            "<value 3>",
        },
    })
    if err != nil {
        log.Fatal(err)
    }
    if res.V2KeysSetRolesResponseBody != nil {
        // handle response
    }
}

{
  "meta": {
    "requestId": "req_123"
  },
  "data": [
    {
      "id": "role_1234567890abcdef",
      "name": "support.readonly",
      "description": "Provides read-only access for customer support representatives to view user accounts and support tickets",
      "permissions": [
        {
          "id": "perm_1234567890abcdef",
          "name": "users.read",
          "slug": "users-read",
          "description": "Allows reading user profile information and account details"
        }
      ]
    }
  ]
}

Authorizations

Authorization

string

header

required

Unkey uses API keys (root keys) for authentication. These keys authorize access to management operations in the API. To authenticate, include your root key in the Authorization header of each request:

Authorization: Bearer unkey_123

Root keys have specific permissions attached to them, controlling what operations they can perform. Key permissions follow a hierarchical structure with patterns like resource.resource_id.action (e.g., apis.*.create_key, apis.*.read_api). Security best practices:

Keep root keys secure and never expose them in client-side code
Use different root keys for different environments
Rotate keys periodically, especially after team member departures
Create keys with minimal necessary permissions following least privilege principle
Monitor key usage with audit logs.

Body

application/json

keyId

string

required

Specifies which key gets the complete role replacement using the database identifier returned from createKey. Do not confuse this with the actual API key string that users include in requests. This is a wholesale replacement operation that removes all existing roles not included in the request. Role changes take effect immediately but may take up to 30 seconds to propagate across all regions.

Required string length: 3 - 255

Example:

"key_2cGKbMxRyIzhCxo1Idjz8q"

roles

string[]

required

Replaces all existing role assignments with this complete list of roles. This is a wholesale replacement operation, not an incremental update like add/remove operations.

Providing an empty array removes all direct role assignments from the key. All roles must already exist in the workspace - roles cannot be created automatically. Invalid role references cause the entire operation to fail atomically, ensuring consistent state.

Maximum length: 100

Specify the role by name.

Response

Roles set successfully. Returns all roles currently assigned to the key.

meta

object

required

Metadata object included in every API response. This provides context about the request and is essential for debugging, audit trails, and support inquiries. The requestId is particularly important when troubleshooting issues with the Unkey support team.

Show child attributes

data

object[]

required

Complete list of all roles now directly assigned to the key after the set operation has completed.

The response includes:

The comprehensive, updated set of roles (reflecting the complete replacement)
Both ID and name for each role for easy reference

Important notes:

This response shows the final state after the complete replacement
If you provided an empty array in the request, this will also be empty
This only shows direct role assignments on the key
Role permissions are not expanded in this response - use keys.getKey for complete details
An empty array indicates the key now has no roles assigned at all

Show child attributes

Update key creditsUpdate credit quotas in response to plan changes, billing cycles, or usage purchases. Use this for user upgrades/downgrades, monthly quota resets, credit purchases, or promotional bonuses. Supports three operations: set, increment, or decrement credits. Set to null for unlimited usage. **Important**: Setting unlimited credits automatically clears existing refill configurations. **Required Permissions** Your root key must have one of the following permissions: - `api.*.update_key` (to update keys in any API) - `api.<api_id>.update_key` (to update keys in a specific API) **Side Effects** Credit updates remove the key from cache immediately. Setting credits to unlimited automatically clears any existing refill settings. Changes take effect instantly but may take up to 30 seconds to propagate to all edge regions.

Go (SDK)

package main

import(
	"context"
	"os"
	unkey "github.com/unkeyed/sdks/api/go/v2"
	"github.com/unkeyed/sdks/api/go/v2/models/components"
	"log"
)

func main() {
    ctx := context.Background()

    s := unkey.New(
        unkey.WithSecurity(os.Getenv("UNKEY_ROOT_KEY")),
    )

    res, err := s.Keys.SetRoles(ctx, components.V2KeysSetRolesRequestBody{
        KeyID: "key_2cGKbMxRyIzhCxo1Idjz8q",
        Roles: []string{
            "<value 1>",
            "<value 2>",
            "<value 3>",
        },
    })
    if err != nil {
        log.Fatal(err)
    }
    if res.V2KeysSetRolesResponseBody != nil {
        // handle response
    }
}

{
  "meta": {
    "requestId": "req_123"
  },
  "data": [
    {
      "id": "role_1234567890abcdef",
      "name": "support.readonly",
      "description": "Provides read-only access for customer support representatives to view user accounts and support tickets",
      "permissions": [
        {
          "id": "perm_1234567890abcdef",
          "name": "users.read",
          "slug": "users-read",
          "description": "Allows reading user profile information and account details"
        }
      ]
    }
  ]
}

Introduction

Endpoints

Set key roles

Authorizations

Body

Response