keyId or the actual key string.
Important: Set decrypt: true only in secure contexts to retrieve plaintext key values from recoverable keys.
Required permissions:
api.*.read_keyorapi.<api_id>.read_key(to read key information)api.*.decrypt_keyorapi.<api_id>.decrypt_key(additionally required when using--decrypt)
See the API reference for the full HTTP endpoint documentation.
Usage
Flags
The database identifier of the key to retrieve, returned from
keys.createKey. Do not confuse this with the actual API key string that users include in requests. Find this ID in creation responses, key listings, dashboard, or verification responses.Whether to include the plaintext key value in the response. Only works for keys created with
recoverable=true and requires the decrypt_key permission. Returned keys must be handled securely — never logged, cached, or stored insecurely.Global Flags
| Flag | Type | Description |
|---|---|---|
--root-key | string | Override root key ($UNKEY_ROOT_KEY) |
--api-url | string | Override API base URL (default: https://api.unkey.com) |
--config | string | Path to config file (default: ~/.unkey/config.toml) |
--output | string | Output format — use json for raw JSON |
Examples
Output
Default output shows the request ID with latency, followed by the key details:--output=json, the full response envelope is returned: