Replace all permissions on a key with the specified set in a single atomic operation. Use this to synchronize with external systems, reset permissions to a known state, or apply standardized permission templates. Permissions granted through roles remain unchanged. Important: Changes take effect immediately with up to 30-second propagation across regions. This is a complete replacement operation — all existing direct permissions not included in the provided list will be removed. Required permissions:Documentation Index
Fetch the complete documentation index at: https://unkey.com/docs/llms.txt
Use this file to discover all available pages before exploring further.
api.*.update_key(to update keys in any API)api.<api_id>.update_key(to update keys in a specific API)
See the API reference for the full HTTP endpoint documentation.
Usage
Flags
The key ID to set permissions on. This is the database identifier returned from
keys.createKey (e.g., key_2cGKbMxRyIzhCxo1Idjz8q). Do not confuse this with the actual API key string that users include in requests.Comma-separated list of permissions. Replaces all existing direct permissions with this new set. Providing an empty value removes all direct permissions from the key. Permissions granted through roles are not affected. Any permissions that do not already exist will be auto-created if your root key has sufficient permissions.
Global Flags
| Flag | Type | Description |
|---|---|---|
--root-key | string | Override root key ($UNKEY_ROOT_KEY) |
--api-url | string | Override API base URL (default: https://api.unkey.com) |
--config | string | Path to config file (default: ~/.unkey/config.toml) |
--output | string | Output format. Use json for raw JSON |
Examples
Output
Default output shows the request ID with latency, followed by the updated list of direct permissions on the key:--output=json, the full response envelope is returned: