Remove permissions from a key without affecting existing roles or other permissions. Use this for privilege downgrades, removing temporary access, or plan changes that revoke specific capabilities. Permissions granted through roles remain unchanged. Important: Changes take effect immediately with up to 30-second propagation across regions. Required permissions:Documentation Index
Fetch the complete documentation index at: https://unkey.com/docs/llms.txt
Use this file to discover all available pages before exploring further.
api.*.update_key(to update keys in any API)api.<api_id>.update_key(to update keys in a specific API)
See the API reference for the full HTTP endpoint documentation.
Usage
Flags
The key ID to remove permissions from. This is the database identifier returned from
keys.createKey, do not confuse it with the actual API key string that users include in requests.Comma-separated list of permission names to remove. You can specify permissions by slug or by permission ID. After removal, verification checks for these permissions will fail unless granted through roles.
Global Flags
| Flag | Type | Description |
|---|---|---|
--root-key | string | Override root key ($UNKEY_ROOT_KEY) |
--api-url | string | Override API base URL (default: https://api.unkey.com) |
--config | string | Path to config file (default: ~/.unkey/config.toml) |
--output | string | Output format. Use json for raw JSON |
Examples
Output
Default output shows the request ID with latency, followed by the remaining direct permissions on the key:--output=json, the full response envelope is returned: