If you plan to encrypt your keys, please contact us at to flag you in.

The root key used for migrating must have the api.*.encrypt_key permission to encrypt keys.

Extracting keys from your current system is likely the hardest part. It depends on how your keys are stored and how you can access them. Some providers have APIs to list all keys, while others require you to manually export them, some can provide the real key, and some only provide a hashed version.

Regardless of how you get your keys, you will need to provide either the plaintext key or the hash, as well as other settings to Unkey via the migrations.createKeys endpoint.

Nodejs Example

const { createHash } = require("node:crypto")

function hash(key) {
  return {
    value: createHash("sha256").update(key).digest("base64"),
    variant: "sha256_base64",

const keys = [
    hash: hash("my-secret-key"),
    ownerId: "hello",
    apiId: "<UNKEY_API_ID>", // the id of the API you created
    //... other settings
    hash: hash("my-other-secret-key"),
    name: "name",
    apiId: "<UNKEY_API_ID>", // the id of the API you created
    //... other settings

fetch("", {
  method: "POST",
  headers: {
    "Content-Type": "application/json",
    Authorization: "Bearer <UNKEY_ROOT_KEY>",
  body: JSON.stringify(keys)

Was this page helpful?