Skip to main content
Replace all permissions on a key with the specified set in a single atomic operation. Use this to synchronize with external systems, reset permissions to a known state, or apply standardized permission templates. Permissions granted through roles remain unchanged. Important: Changes take effect immediately with up to 30-second edge propagation. This is a complete replacement operation — all existing direct permissions not included in the provided list will be removed. Required permissions:
  • api.*.update_key (to update keys in any API)
  • api.<api_id>.update_key (to update keys in a specific API)
See the API reference for the full HTTP endpoint documentation.

Usage

unkey api keys set-permissions [flags]

Flags

--key-id
string
required
The key ID to set permissions on. This is the database identifier returned from keys.createKey (e.g., key_2cGKbMxRyIzhCxo1Idjz8q). Do not confuse this with the actual API key string that users include in requests.
--permissions
string[]
required
Comma-separated list of permissions. Replaces all existing direct permissions with this new set. Providing an empty value removes all direct permissions from the key. Permissions granted through roles are not affected. Any permissions that do not already exist will be auto-created if your root key has sufficient permissions.

Global Flags

FlagTypeDescription
--root-keystringOverride root key ($UNKEY_ROOT_KEY)
--api-urlstringOverride API base URL (default: https://api.unkey.com)
--configstringPath to config file (default: ~/.unkey/config.toml)
--outputstringOutput format — use json for raw JSON

Examples

unkey api keys set-permissions --key-id=key_1234abcd --permissions=documents.read,documents.write,settings.view

Output

Default output shows the request ID with latency, followed by the updated list of direct permissions on the key: 
req_2c9a0jf23l4k567 (took 45ms)

[
  {
    "id": "perm_1234567890abcdef",
    "name": "documents.read",
    "slug": "documents.read"
  },
  {
    "id": "perm_abcdef1234567890",
    "name": "documents.write",
    "slug": "documents.write"
  },
  {
    "id": "perm_567890abcdef1234",
    "name": "settings.view",
    "slug": "settings.view"
  }
]
With --output=json, the full response envelope is returned: 
{
  "meta": {
    "requestId": "req_2c9a0jf23l4k567"
  },
  "data": [
    {
      "id": "perm_1234567890abcdef",
      "name": "documents.read",
      "slug": "documents.read"
    },
    {
      "id": "perm_abcdef1234567890",
      "name": "documents.write",
      "slug": "documents.write"
    },
    {
      "id": "perm_567890abcdef1234",
      "name": "settings.view",
      "slug": "settings.view"
    }
  ]
}
Last modified on March 26, 2026