Skip to main content
Almost all Unkey API endpoints require authentication using a root key. Root keys provide access to your Unkey resources based on their assigned permissions.

Bearer Authentication

Authentication is performed using HTTP Bearer authentication in the Authorization header:
Example request:

Security Best Practices

Never expose your root key in client-side code or include it in public repositories. For frontend applications, always use a backend server to proxy requests to the Unkey API.

Root Key Management

Root keys can be created and managed through the Unkey dashboard. We recommend:
  1. Using Different Keys for Different Environments: Maintain separate root keys for development, staging, and production
  2. Rotating Keys Regularly: Create new keys periodically and phase out old ones
  3. Setting Clear Key Names: Name your keys according to their use case for better manageability

Key Permissions System

Unkey implements a sophisticated RBAC (Role-Based Access Control) system for root keys. Permissions are defined as tuples of:
  • ResourceType: The category of resource (api, ratelimit, rbac, identity)
  • ResourceID: The specific resource instance
  • Action: The operation to perform on that resource

Available Resource Types

Permission Examples

Specific permission to manage a single API:
Wildcard permission to manage all rate limit namespaces:
When creating root keys, you can specify exactly what actions they’re allowed to perform.

Authentication Errors

If your authentication fails, you’ll receive a 401 Unauthorized or 403 Forbidden response with an error message:
If your key is valid but lacks sufficient permissions, you’ll receive a 403 Forbidden response:
Common authentication issues include:
  • Missing the Authorization header
  • Invalid key format
  • Revoked or expired root key
  • Using a key with insufficient permissions
Last modified on May 6, 2026