api.*.update_key(to update keys in any API)api.<api_id>.update_key(to update keys in a specific API)
See the API reference for the full HTTP endpoint documentation.
Usage
Flags
The key ID to add roles to. This is the database identifier returned from
createKey — do not confuse it with the actual API key string that users include in requests. Added roles supplement existing roles and permissions without replacing them. Role assignments take effect immediately but may take up to 30 seconds to propagate across all regions.Comma-separated list of role names to add. Operations are idempotent — adding existing roles has no effect and causes no errors. All roles must already exist in the workspace; roles cannot be created automatically. Invalid roles cause the entire operation to fail atomically, ensuring consistent state.
Global Flags
| Flag | Type | Description |
|---|---|---|
--root-key | string | Override root key ($UNKEY_ROOT_KEY) |
--api-url | string | Override API base URL (default: https://api.unkey.com) |
--config | string | Path to config file (default: ~/.unkey/config.toml) |
--output | string | Output format — use json for raw JSON |
Examples
Output
Default output shows the request ID with latency, followed by the updated list of roles assigned to the key:--output=json, the full response envelope is returned: