Unkey Deploy is currently in private beta. To get access, reach out on
Discord or email
support@unkey.com.
Configure API key authentication
To enable API key authentication for your deployment:- Navigate to your project’s Settings page.
- Scroll to the Sentinel configurations section.
- Select one or more keyspaces to enforce.
- Save your changes.
401 response and never reach your app.
How verification works
The Sentinel extracts the API key from theAuthorization header (as a Bearer token) and verifies it against your configured keyspaces. The following checks run in order:
- Existence. The key must belong to one of the configured keyspaces.
- Status. The key must not be disabled or revoked.
- Expiration. The key must not have passed its expiration timestamp.
- Credits. If remaining credits are configured, at least one credit must be available. Verification deducts one credit.
- Rate limits. All rate limit configurations attached to the key are evaluated. See rate limiting for details on response headers and behavior.
- Permissions. If a permission query is configured, the key must satisfy it.
X-Unkey-Principal header. See the API key source for the full list of fields your app receives, including roles, permissions, and key metadata.
Additional configuration
- Custom key locations: Extract keys from a custom header (for example,
X-API-Key) or a query parameter instead of theAuthorizationheader - Permission queries: Enforce Unkey RBAC permissions in the Sentinel using AND/OR expressions (for example,
api.keys.create AND billing.read)
Error responses
| Scenario | Status | Description |
|---|---|---|
| No credentials provided | 401 | The request is missing an API key |
| Invalid, disabled, or expired key | 401 | The API key failed verification |
| Insufficient permissions | 403 | The key lacks required permissions |
| Rate limit exceeded | 429 | The key’s rate limit was exceeded |