Update key properties in response to plan changes, subscription updates, or account status changes.
Use this for user upgrades/downgrades, role modifications, or administrative changes. Supports partial updates - only specify fields you want to change. Set fields to null to clear them.
Important: Permissions and roles are replaced entirely. Use dedicated add/remove endpoints for incremental changes.
Required Permissions
Your root key must have one of the following permissions:
api.*.update_key (to update keys in any API)api.<api_id>.update_key (to update keys in a specific API)Side Effects
If you specify an externalId that doesn’t exist, a new identity will be automatically created and linked to the key. Permission updates will auto-create any permissions that don’t exist in your workspace. Changes take effect immediately but may take up to 30 seconds to propagate to all edge regions due to cache invalidation.
Unkey uses API keys (root keys) for authentication. These keys authorize access to management operations in the API. To authenticate, include your root key in the Authorization header of each request:
Authorization: Bearer unkey_123Root keys have specific permissions attached to them, controlling what operations they can perform. Key permissions follow a hierarchical structure with patterns like resource.resource_id.action (e.g., apis.*.create_key, apis.*.read_api).
Security best practices:
Specifies which key to update using the database identifier returned from createKey.
Do not confuse this with the actual API key string that users include in requests.
3 - 255"key_2cGKbMxRyIzhCxo1Idjz8q"
Sets a human-readable name for internal organization and identification. Omitting this field leaves the current name unchanged, while setting null removes it entirely. Avoid generic names like "API Key" when managing multiple keys per user or service.
1 - 255"Payment Service Production Key"
Links this key to a user or entity in your system for ownership tracking during verification. Omitting this field preserves the current association, while setting null disconnects the key from any identity. Essential for user-specific analytics, billing, and key management across multiple users. Supports letters, numbers, underscores, dots, and hyphens for flexible identifier formats.
1 - 255"user_912a841d"
Stores arbitrary JSON metadata returned during key verification. Omitting this field preserves existing metadata, while setting null removes all metadata entirely. Avoid storing sensitive data here as it's returned in verification responses. Large metadata objects increase verification latency and should stay under 10KB total size.
{
"plan": "enterprise",
"limits": {
"storage": "500GB",
"compute": "1000 minutes/month"
},
"features": ["analytics", "exports", "webhooks"],
"hasAcceptedTerms": true,
"billing": {
"cycle": "monthly",
"next_billing": "2024-01-15"
},
"preferences": { "timezone": "UTC", "notifications": true },
"lastBillingDate": "2023-10-15"
}Sets when this key automatically expires as a Unix timestamp in milliseconds. Verification fails with code=EXPIRED immediately after this time passes. Omitting this field preserves the current expiration, while setting null makes the key permanent.
Avoid setting timestamps in the past as they immediately invalidate the key. Keys expire based on server time, not client time, which prevents timezone-related issues. Active sessions continue until their next verification attempt after expiry.
0 <= x <= 41024448000001704067200000
Defines time-based rate limits that protect against abuse by controlling request frequency. Omitting this field preserves existing rate limits, while setting null removes all rate limits. Unlike credits which track total usage, rate limits reset automatically after each window expires. Multiple rate limits can control different operation types with separate thresholds and windows.
50Controls whether the key is currently active for verification requests.
When set to false, all verification attempts fail with code=DISABLED regardless of other settings.
Omitting this field preserves the current enabled status.
Useful for temporarily suspending access during billing issues, security incidents, or maintenance windows without losing key configuration.
true
100Assigns existing roles to this key for permission management through role-based access control. Roles must already exist in your workspace before assignment. During verification, all permissions from assigned roles are checked against requested permissions. Roles provide a convenient way to group permissions and apply consistent access patterns across multiple keys.
1 - 100["api_admin", "billing_reader"]1000Grants specific permissions directly to this key without requiring role membership.
Wildcard permissions like documents.* grant access to all sub-permissions including documents.read and documents.write.
Direct permissions supplement any permissions inherited from assigned roles.
3 - 100[
"documents.read",
"documents.write",
"settings.view"
]Controls usage-based limits for this key through credit consumption. Omitting this field preserves current credit settings, while setting null enables unlimited usage. Cannot configure refill settings when credits is null, and refillDay requires monthly interval. Essential for implementing usage-based pricing and subscription quotas.
Key updated successfully. Changes take effect immediately with up to 30-second edge propagation.
Metadata object included in every API response. This provides context about the request and is essential for debugging, audit trails, and support inquiries. The requestId is particularly important when troubleshooting issues with the Unkey support team.
Empty response object by design. A successful response indicates this operation was successfully executed.