Skip to main content
Retrieve details about a specific role including its assigned permissions. Use this to verify role configuration, check which permissions are currently assigned, or retrieve metadata for access review. Accepts either a role ID (starting with role_) or a role name. Required permissions:
  • rbac.*.read_role (to read roles in any workspace)
See the API reference for the full HTTP endpoint documentation.

Usage

unkey api permissions get-role [flags]

Flags

--role
string
required
Role ID (starting with role_) or role name to retrieve. Must be 3-255 characters and contain only letters, numbers, dots, hyphens, underscores, colons, and asterisks. Returns complete role information including all assigned permissions.

Global Flags

FlagTypeDescription
--root-keystringOverride root key ($UNKEY_ROOT_KEY)
--api-urlstringOverride API base URL (default: https://api.unkey.com)
--configstringPath to config file (default: ~/.unkey/config.toml)
--outputstringOutput format — use json for raw JSON

Examples

unkey api permissions get-role --role=role_1234567890abcdef

Output

Default output shows the request ID with latency, followed by the role details: 
req_2c9a0jf23l4k567 (took 45ms)

{
  "id": "role_1234567890abcdef",
  "name": "support.readonly",
  "description": "Provides read-only access for customer support representatives",
  "permissions": [
    {
      "id": "perm_abc123",
      "name": "tickets.read"
    }
  ]
}
With --output=json, the full response envelope is returned: 
{
  "meta": {
    "requestId": "req_2c9a0jf23l4k567"
  },
  "data": {
    "id": "role_1234567890abcdef",
    "name": "support.readonly",
    "description": "Provides read-only access for customer support representatives",
    "permissions": [
      {
        "id": "perm_abc123",
        "name": "tickets.read"
      }
    ]
  }
}
Last modified on March 26, 2026