keys

Verify API key

Verify an API key’s validity and permissions for request authentication.

Use this endpoint on every incoming request to your protected resources. It checks key validity, permissions, rate limits, and usage quotas in a single call.

Important: Always returns HTTP 200. Check the valid field in response data to determine if the key is authorized.

Common use cases:

Authenticate API requests before processing
Enforce permission-based access control
Track usage and apply rate limits

Required Permissions

Your root key needs one of:

api.*.verify_key (verify keys in any API)
api.<api_id>.verify_key (verify keys in specific API)

If you are getting a NOT_FOUND error, ensure your root key has the required verify key permissions.

POST

keys.verifyKey

Go (SDK)

package main

import(
	"context"
	"os"
	unkey "github.com/unkeyed/sdks/api/go/v2"
	"github.com/unkeyed/sdks/api/go/v2/models/components"
	"log"
)

func main() {
    ctx := context.Background()

    s := unkey.New(
        unkey.WithSecurity(os.Getenv("UNKEY_ROOT_KEY")),
    )

    res, err := s.Keys.VerifyKey(ctx, components.V2KeysVerifyKeyRequestBody{
        Key: "sk_1234abcdef",
        Tags: []string{
            "endpoint=/users/profile",
            "method=GET",
            "region=us-east-1",
            "clientVersion=2.3.0",
            "feature=premium",
        },
        Permissions: unkey.String("documents.read AND users.view"),
        Credits: &components.KeysVerifyKeyCredits{
            Cost: 5,
        },
        Ratelimits: []components.KeysVerifyKeyRatelimit{
            components.KeysVerifyKeyRatelimit{
                Name: "tokens",
                Cost: unkey.Int64(2),
                Limit: unkey.Int64(50),
                Duration: unkey.Int64(600000),
            },
        },
    })
    if err != nil {
        log.Fatal(err)
    }
    if res.V2KeysVerifyKeyResponseBody != nil {
        // handle response
    }
}

{
  "meta": {
    "requestId": "req_123"
  },
  "data": {
    "valid": true,
    "code": "VALID",
    "keyId": "<string>",
    "name": "<string>",
    "meta": {},
    "expires": 123,
    "credits": 123,
    "enabled": true,
    "permissions": [
      "<string>"
    ],
    "roles": [
      "<string>"
    ],
    "identity": {
      "id": "<string>",
      "externalId": "<string>",
      "meta": {},
      "ratelimits": [
        {
          "id": "rl_1234567890abcdef",
          "name": "api_requests",
          "limit": 1000,
          "duration": 3600000,
          "autoApply": true
        }
      ]
    },
    "ratelimits": [
      {
        "exceeded": true,
        "id": "rl_1234567890abcdef",
        "name": "api_requests",
        "limit": 1000,
        "duration": 3600000,
        "reset": 3600000,
        "remaining": 999,
        "autoApply": true
      }
    ]
  }
}

Authorizations

Authorization

string

header

required

Unkey uses API keys (root keys) for authentication. These keys authorize access to management operations in the API. To authenticate, include your root key in the Authorization header of each request:

Authorization: Bearer unkey_123

Root keys have specific permissions attached to them, controlling what operations they can perform. Key permissions follow a hierarchical structure with patterns like resource.resource_id.action (e.g., apis.*.create_key, apis.*.read_api). Security best practices:

Keep root keys secure and never expose them in client-side code
Use different root keys for different environments
Rotate keys periodically, especially after team member departures
Create keys with minimal necessary permissions following least privilege principle
Monitor key usage with audit logs.

Body

application/json

Response

200

application/json

Key verification process completed. This endpoint always returns HTTP 200 regardless of whether the key passed or failed verification. You must check the valid field in the response data to determine the actual verification result.

When verification succeeds, the response includes comprehensive information about the key including its current status, remaining credits, expiration time, associated permissions and roles, metadata, and any rate limiting information. This data enables your application to make informed authorization decisions and provide appropriate user experiences.

When verification fails, the response indicates the specific reason through the code field while setting valid to false. The failure codes help you handle different scenarios appropriately, such as directing users to renew expired keys, upgrade for more credits, or contact support for disabled keys.

The response also includes identity information when the key is associated with an identity, providing additional context about the key holder and any identity-specific rate limits or metadata that may apply to the verification.

The response is of type object.

Get API key by hashFind out what key this is. **Required Permissions** Your root key must have one of the following permissions for basic key information: - `api.*.read_key` (to read keys from any API) - `api.<api_id>.read_key` (to read keys from a specific API) If your rootkey lacks permissions but the key exists, we may return a 404 status here to prevent leaking the existance of a key to unauthorized clients. If you believe that a key should exist, but receive a 404, please double check your root key has the correct permissions.

Go (SDK)

package main

import(
	"context"
	"os"
	unkey "github.com/unkeyed/sdks/api/go/v2"
	"github.com/unkeyed/sdks/api/go/v2/models/components"
	"log"
)

func main() {
    ctx := context.Background()

    s := unkey.New(
        unkey.WithSecurity(os.Getenv("UNKEY_ROOT_KEY")),
    )

    res, err := s.Keys.VerifyKey(ctx, components.V2KeysVerifyKeyRequestBody{
        Key: "sk_1234abcdef",
        Tags: []string{
            "endpoint=/users/profile",
            "method=GET",
            "region=us-east-1",
            "clientVersion=2.3.0",
            "feature=premium",
        },
        Permissions: unkey.String("documents.read AND users.view"),
        Credits: &components.KeysVerifyKeyCredits{
            Cost: 5,
        },
        Ratelimits: []components.KeysVerifyKeyRatelimit{
            components.KeysVerifyKeyRatelimit{
                Name: "tokens",
                Cost: unkey.Int64(2),
                Limit: unkey.Int64(50),
                Duration: unkey.Int64(600000),
            },
        },
    })
    if err != nil {
        log.Fatal(err)
    }
    if res.V2KeysVerifyKeyResponseBody != nil {
        // handle response
    }
}

{
  "meta": {
    "requestId": "req_123"
  },
  "data": {
    "valid": true,
    "code": "VALID",
    "keyId": "<string>",
    "name": "<string>",
    "meta": {},
    "expires": 123,
    "credits": 123,
    "enabled": true,
    "permissions": [
      "<string>"
    ],
    "roles": [
      "<string>"
    ],
    "identity": {
      "id": "<string>",
      "externalId": "<string>",
      "meta": {},
      "ratelimits": [
        {
          "id": "rl_1234567890abcdef",
          "name": "api_requests",
          "limit": 1000,
          "duration": 3600000,
          "autoApply": true
        }
      ]
    },
    "ratelimits": [
      {
        "exceeded": true,
        "id": "rl_1234567890abcdef",
        "name": "api_requests",
        "limit": 1000,
        "duration": 3600000,
        "reset": 3600000,
        "remaining": 999,
        "autoApply": true
      }
    ]
  }
}

Introduction

Endpoints

Verify API key

Authorizations

Body

Response