externalId, or retrieve key details for administrative purposes. Each key includes status, metadata, permissions, and usage limits.
Important: Set decrypt: true only in secure contexts to retrieve plaintext key values from recoverable keys.
Required permissions:
api.*.read_keyorapi.<api_id>.read_key(to read keys)api.*.read_apiorapi.<api_id>.read_api(to read the API)api.*.decrypt_keyorapi.<api_id>.decrypt_key(additionally required when using--decrypt)
See the API reference for the full HTTP endpoint documentation.
Usage
Flags
The API namespace whose keys you want to list. Returns all keys in this API, subject to pagination and filters.
Maximum number of keys to return per request. Balance between response size and number of pagination calls needed. Must be between 1 and 100.
Pagination cursor from a previous response to fetch the next page. Use when
hasMore: true in the previous response.Filter keys by external ID to find keys for a specific user or entity. Must exactly match the
externalId set during key creation.When true, includes the plaintext key value in the response. Only works for keys created with
recoverable: true. Requires the decrypt_key permission on the calling root key. Never enable this in user-facing applications.Experimental. Skip the cache and fetch keys directly from the database. Use this when you have just created a key and need to see it immediately, or when debugging cache consistency issues. This comes with a performance cost and should be used sparingly.
Global Flags
| Flag | Type | Description |
|---|---|---|
--root-key | string | Override root key ($UNKEY_ROOT_KEY) |
--api-url | string | Override API base URL (default: https://api.unkey.com) |
--config | string | Path to config file (default: ~/.unkey/config.toml) |
--output | string | Output format — use json for raw JSON |
Examples
Output
Default output shows the request ID with latency, followed by the list of keys:--output=json, the full response envelope including pagination is returned: