> ## Documentation Index > Fetch the complete documentation index at: https://unkey.com/docs/llms.txt > Use this file to discover all available pages before exploring further. # List API keys > Retrieve a paginated list of API keys for dashboard and administrative interfaces. Use this to build key management dashboards, filter keys by user with `externalId`, or retrieve key details for administrative purposes. Each key includes status, metadata, permissions, and usage limits. **Important**: Set `decrypt: true` only in secure contexts to retrieve plaintext key values from recoverable keys. **Required Permissions** Your root key must have one of the following permissions for basic key listing: - `api.*.read_key` (to read keys from any API) - `api..read_key` (to read keys from a specific API) Additionally, you need read access to the API itself: - `api.*.read_api` or `api..read_api` Additional permission required for decrypt functionality: - `api.*.decrypt_key` or `api..decrypt_key` ## OpenAPI ````yaml https://spec.speakeasy.com/unkey/unkey/openapi-json-with-code-samples post /v2/apis.listKeys openapi: 3.1.0 info: description: >- Unkey's API provides programmatic access for all resources within our platform. ### Authentication # This API uses HTTP Bearer authentication with root keys. Most endpoints require specific permissions associated with your root key. When making requests, include your root key in the `Authorization` header: ``` Authorization: Bearer unkey_xxxxxxxxxxx ``` All responses follow a consistent envelope structure that separates operational metadata from actual data. This design provides several benefits: - Debugging: Every response includes a unique requestId for tracing issues - Consistency: Predictable response format across all endpoints - Extensibility: Easy to add new metadata without breaking existing integrations - Error Handling: Unified error format with actionable information ### Success Response Format: ```json { "meta": { "requestId": "req_123456" }, "data": { // Actual response data here } } ``` The meta object contains operational information: - `requestId`: Unique identifier for this request (essential for support) The data object contains the actual response data specific to each endpoint. ### Paginated Response Format: ```json { "meta": { "requestId": "req_123456" }, "data": [ // Array of results ], "pagination": { "cursor": "next_page_token", "hasMore": true } } ``` The pagination object appears on list endpoints and contains: - `cursor`: Token for requesting the next page - `hasMore`: Whether more results are available ### Error Response Format: ```json { "meta": { "requestId": "req_2c9a0jf23l4k567" }, "error": { "detail": "The resource you are attempting to modify is protected and cannot be changed", "status": 403, "title": "Forbidden", "type": "https://unkey.com/docs/errors/unkey/application/protected_resource" } } ``` Error responses include comprehensive diagnostic information: - `title`: Human-readable error summary - `detail`: Specific description of what went wrong - `status`: HTTP status code - `type`: Link to error documentation - `errors`: Array of validation errors (for 400 responses) This structure ensures you always have the context needed to debug issues and take corrective action. title: Unkey API version: 2.0.0 servers: - url: https://api.unkey.com security: - rootKey: [] tags: - description: Analytics query operations name: analytics - description: API management operations name: apis - description: Deployment operations name: deploy - description: Identity management operations name: identities - description: API key management operations name: keys - description: Health check operations name: liveness - description: Permission and role management operations name: permissions - description: Customer Portal session management name: portal - description: Rate limiting operations name: ratelimit paths: /v2/apis.listKeys: post: tags: - apis summary: List API keys description: > Retrieve a paginated list of API keys for dashboard and administrative interfaces. Use this to build key management dashboards, filter keys by user with `externalId`, or retrieve key details for administrative purposes. Each key includes status, metadata, permissions, and usage limits. **Important**: Set `decrypt: true` only in secure contexts to retrieve plaintext key values from recoverable keys. **Required Permissions** Your root key must have one of the following permissions for basic key listing: - `api.*.read_key` (to read keys from any API) - `api..read_key` (to read keys from a specific API) Additionally, you need read access to the API itself: - `api.*.read_api` or `api..read_api` Additional permission required for decrypt functionality: - `api.*.decrypt_key` or `api..decrypt_key` operationId: apis.listKeys requestBody: content: application/json: schema: $ref: '#/components/schemas/V2ApisListKeysRequestBody' required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/V2ApisListKeysResponseBody' description: > Successfully retrieved paginated keys. Use the pagination cursor for additional results when `hasMore: true`. '400': content: application/json: schema: $ref: '#/components/schemas/BadRequestErrorResponse' description: Bad request '401': content: application/json: schema: $ref: '#/components/schemas/UnauthorizedErrorResponse' description: Unauthorized '403': content: application/json: schema: $ref: '#/components/schemas/ForbiddenErrorResponse' description: Forbidden '404': content: application/json: schema: $ref: '#/components/schemas/NotFoundErrorResponse' description: Not Found '429': content: application/problem+json: schema: $ref: '#/components/schemas/TooManyRequestsErrorResponse' description: Too Many Requests '500': content: application/json: schema: $ref: '#/components/schemas/InternalServerErrorResponse' description: Internal server error security: - rootKey: [] x-codeSamples: - lang: go label: Go (SDK) source: "package main\n\nimport(\n\t\"context\"\n\t\"os\"\n\tunkey \"github.com/unkeyed/sdks/api/go/v2\"\n\t\"github.com/unkeyed/sdks/api/go/v2/models/components\"\n\t\"log\"\n)\n\nfunc main() {\n ctx := context.Background()\n\n s := unkey.New(\n unkey.WithSecurity(os.Getenv(\"UNKEY_ROOT_KEY\")),\n )\n\n res, err := s.Apis.ListKeys(ctx, components.V2ApisListKeysRequestBody{\n APIID: \"api_1234abcd\",\n Cursor: unkey.Pointer(\"key_1234abcd\"),\n ExternalID: unkey.Pointer(\"user_1234abcd\"),\n })\n if err != nil {\n log.Fatal(err)\n }\n if res.V2ApisListKeysResponseBody != nil {\n for {\n // handle items\n\n res, err = res.Next()\n\n if err != nil {\n // handle error\n }\n\n if res == nil {\n break\n }\n }\n }\n}" - lang: python label: Python (SDK) source: |- from unkey.py import Unkey with Unkey( root_key="", ) as unkey: res = unkey.apis.list_keys(api_id="api_1234abcd", limit=100, cursor="key_1234abcd", external_id="user_1234abcd", decrypt=False, revalidate_keys_cache=False) while res is not None: # Handle items res = res.next() - lang: typescript label: Typescript (SDK) source: |- import { Unkey } from "@unkey/api"; const unkey = new Unkey({ rootKey: process.env["UNKEY_ROOT_KEY"] ?? "", }); async function run() { const result = await unkey.apis.listKeys({ apiId: "api_1234abcd", cursor: "key_1234abcd", externalId: "user_1234abcd", }); for await (const page of result) { console.log(page); } } run(); components: schemas: V2ApisListKeysRequestBody: type: object required: - apiId properties: apiId: type: string minLength: 1 description: | The API namespace whose keys you want to list. Returns all keys in this API, subject to pagination and filters. example: api_1234abcd limit: type: integer description: | Maximum number of keys to return per request. Balance between response size and number of pagination calls needed. default: 100 minimum: 1 maximum: 100 cursor: type: string description: | Pagination cursor from previous response to fetch next page. Use when `hasMore: true` in previous response. example: key_1234abcd externalId: type: string minLength: 1 description: > Filter keys by external ID to find keys for a specific user or entity. Must exactly match the externalId set during key creation. example: user_1234abcd decrypt: type: boolean description: >- When true, attempts to include the plaintext key value in the response. SECURITY WARNING: - This requires special permissions on the calling root key - Only works for keys created with 'recoverable: true' - Exposes sensitive key material in the response - Should only be used in secure administrative contexts - Never enable this in user-facing applications default: false revalidateKeysCache: type: boolean default: false description: >- EXPERIMENTAL: Skip the cache and fetch the keys directly from the database. This ensures you see the most recent state, including keys created moments ago. Use this when: - You've just created a key and need to display it immediately - You need absolute certainty about the current key state - You're debugging cache consistency issues This parameter comes with a performance cost and should be used sparingly. additionalProperties: false V2ApisListKeysResponseBody: type: object required: - meta - data properties: meta: $ref: '#/components/schemas/Meta' data: $ref: '#/components/schemas/V2ApisListKeysResponseData' pagination: $ref: '#/components/schemas/Pagination' x-go-type-skip-optional-pointer: true x-go-type-skip-optional-pointer-with-omitzero: true additionalProperties: false BadRequestErrorResponse: type: object required: - meta - error properties: meta: $ref: '#/components/schemas/Meta' error: $ref: '#/components/schemas/BadRequestErrorDetails' description: >- Error response for invalid requests that cannot be processed due to client-side errors. This typically occurs when request parameters are missing, malformed, or fail validation rules. The response includes detailed information about the specific errors in the request, including the location of each error and suggestions for fixing it. When receiving this error, check the 'errors' array in the response for specific validation issues that need to be addressed before retrying. UnauthorizedErrorResponse: type: object required: - meta - error properties: meta: $ref: '#/components/schemas/Meta' error: $ref: '#/components/schemas/BaseError' description: >- Error response when authentication has failed or credentials are missing. This occurs when: - No authentication token is provided in the request - The provided token is invalid, expired, or malformed - The token format doesn't match expected patterns To resolve this error, ensure you're including a valid root key in the Authorization header. ForbiddenErrorResponse: type: object required: - meta - error properties: meta: $ref: '#/components/schemas/Meta' error: $ref: '#/components/schemas/BaseError' description: >- Error response when the provided credentials are valid but lack sufficient permissions for the requested operation. This occurs when: - The root key doesn't have the required permissions for this endpoint - The operation requires elevated privileges that the current key lacks - Access to the requested resource is restricted based on workspace settings To resolve this error, ensure your root key has the necessary permissions or contact your workspace administrator. NotFoundErrorResponse: type: object required: - meta - error properties: meta: $ref: '#/components/schemas/Meta' error: $ref: '#/components/schemas/BaseError' description: >- Error response when the requested resource cannot be found. This occurs when: - The specified resource ID doesn't exist in your workspace - The resource has been deleted or moved - The resource exists but is not accessible with current permissions To resolve this error, verify the resource ID is correct and that you have access to it. TooManyRequestsErrorResponse: type: object required: - meta - error properties: meta: $ref: '#/components/schemas/Meta' error: $ref: '#/components/schemas/BaseError' description: >- Error response when the client has sent too many requests in a given time period. This occurs when you've exceeded a rate limit or quota for the resource you're accessing. The rate limit resets automatically after the time window expires. To avoid this error: - Implement exponential backoff when retrying requests - Cache results where appropriate to reduce request frequency - Check the error detail message for specific quota information - Contact support if you need a higher quota for your use case InternalServerErrorResponse: type: object required: - meta - error properties: meta: $ref: '#/components/schemas/Meta' error: $ref: '#/components/schemas/BaseError' description: >- Error response when an unexpected error occurs on the server. This indicates a problem with Unkey's systems rather than your request. When you encounter this error: - The request ID in the response can help Unkey support investigate the issue - The error is likely temporary and retrying may succeed - If the error persists, contact Unkey support with the request ID Meta: type: object required: - requestId properties: requestId: description: >- A unique id for this request. Always include this ID when contacting support about a specific API request. This identifier allows Unkey's support team to trace the exact request through logs and diagnostic systems to provide faster assistance. example: req_123 type: string additionalProperties: false description: >- Metadata object included in every API response. This provides context about the request and is essential for debugging, audit trails, and support inquiries. The `requestId` is particularly important when troubleshooting issues with the Unkey support team. V2ApisListKeysResponseData: type: array maxItems: 100 items: $ref: '#/components/schemas/KeyResponseData' description: Array of API keys with complete configuration and metadata. Pagination: type: object properties: cursor: type: string minLength: 1 maxLength: 1024 description: | Opaque pagination token for retrieving the next page of results. Include this exact value in the cursor field of subsequent requests. Cursors are temporary and may expire after extended periods. example: eyJrZXkiOiJrZXlfMTIzNCIsInRzIjoxNjk5Mzc4ODAwfQ== hasMore: type: boolean description: | Indicates whether additional results exist beyond this page. When true, use the cursor to fetch the next page. When false, you have reached the end of the result set. example: true required: - hasMore additionalProperties: false description: >- Pagination metadata for list endpoints. Provides information necessary to traverse through large result sets efficiently using cursor-based pagination. BadRequestErrorDetails: allOf: - $ref: '#/components/schemas/BaseError' - type: object properties: errors: description: >- List of individual validation errors that occurred in the request. Each error provides specific details about what failed validation, where the error occurred in the request, and suggestions for fixing it. This granular information helps developers quickly identify and resolve multiple issues in a single request without having to make repeated API calls. items: $ref: '#/components/schemas/ValidationError' type: array required: - errors description: >- Extended error details specifically for bad request (400) errors. This builds on the BaseError structure by adding an array of individual validation errors, making it easy to identify and fix multiple issues at once. BaseError: properties: detail: description: >- A human-readable explanation specific to this occurrence of the problem. This provides detailed information about what went wrong and potential remediation steps. The message is intended to be helpful for developers troubleshooting the issue. example: Property foo is required but is missing. type: string status: description: >- HTTP status code that corresponds to this error. This will match the status code in the HTTP response. Common codes include `400` (Bad Request), `401` (Unauthorized), `403` (Forbidden), `404` (Not Found), `409` (Conflict), and `500` (Internal Server Error). example: 404 format: int type: integer title: description: >- A short, human-readable summary of the problem type. This remains constant from occurrence to occurrence of the same problem and should be used for programmatic handling. example: Not Found type: string type: description: >- A URI reference that identifies the problem type. This provides a stable identifier for the error that can be used for documentation lookups and programmatic error handling. When followed, this URI should provide human-readable documentation for the problem type. example: https://unkey.com/docs/errors/unkey/resource/not_found type: string required: - title - detail - status - type type: object additionalProperties: false description: >- Base error structure following Problem Details for HTTP APIs (RFC 7807). This provides a standardized way to carry machine-readable details of errors in HTTP response content. KeyResponseData: type: object properties: keyId: type: string minLength: 8 maxLength: 255 pattern: ^[a-zA-Z0-9_]+$ description: Unique identifier for this key. example: key_1234567890abcdef start: type: string minLength: 1 maxLength: 50 description: First few characters of the key for identification. example: sk_test_abc123 enabled: type: boolean description: Whether the key is enabled or disabled. example: true name: type: string maxLength: 255 description: Human-readable name for this key. example: Production API Key x-go-type-skip-optional-pointer: true x-go-type-skip-optional-pointer-with-omitzero: true meta: type: object additionalProperties: true maxProperties: 100 description: Custom metadata associated with this key. example: null x-go-type-skip-optional-pointer: true x-go-type-skip-optional-pointer-with-omitzero: true createdAt: type: integer format: int64 minimum: 0 maximum: 9223372036854776000 description: Unix timestamp in milliseconds when key was created. example: 1701425400000 updatedAt: type: integer format: int64 minimum: 0 maximum: 9223372036854776000 description: Unix timestamp in milliseconds when key was last updated. example: 1701425400000 x-go-type-skip-optional-pointer: true x-go-type-skip-optional-pointer-with-omitzero: true lastUsedAt: type: integer format: int64 minimum: 0 description: >- Unix timestamp in milliseconds when key was last used for verification. This is an approximated value, accurate to within 5 minutes. example: 1701425400000 x-go-type-skip-optional-pointer: true x-go-type-skip-optional-pointer-with-omitzero: true expires: type: integer format: int64 minimum: 0 maximum: 9223372036854776000 description: Unix timestamp in milliseconds when key expires (if set). example: 1735689600000 x-go-type-skip-optional-pointer: true x-go-type-skip-optional-pointer-with-omitzero: true permissions: type: array items: type: string description: List of permission slugs granted to this key. example: - documents.read - documents.write x-go-type-skip-optional-pointer: true x-go-type-skip-optional-pointer-with-omitzero: true roles: type: array items: type: string description: List of roles assigned to this key. example: - editor - viewer x-go-type-skip-optional-pointer: true x-go-type-skip-optional-pointer-with-omitzero: true credits: $ref: '#/components/schemas/KeyCreditsData' identity: $ref: '#/components/schemas/Identity' x-go-type-skip-optional-pointer: true x-go-type-skip-optional-pointer-with-omitzero: true plaintext: type: string description: Decrypted key value (only when decrypt=true). example: sk_test_abc123def456 x-go-type-skip-optional-pointer: true x-go-type-skip-optional-pointer-with-omitzero: true ratelimits: type: array maxItems: 50 items: $ref: '#/components/schemas/RatelimitResponse' x-go-type-skip-optional-pointer: true x-go-type-skip-optional-pointer-with-omitzero: true required: - keyId - start - createdAt - enabled additionalProperties: false ValidationError: additionalProperties: false properties: location: description: >- JSON path indicating exactly where in the request the error occurred. This helps pinpoint the problematic field or parameter. Examples include: - 'body.name' (field in request body) - 'body.items[3].tags' (nested array element) - 'path.apiId' (path parameter) - 'query.limit' (query parameter) Use this location to identify exactly which part of your request needs correction. type: string example: body.permissions[0].name message: description: >- Detailed error message explaining what validation rule was violated. This provides specific information about why the field or parameter was rejected, such as format errors, invalid values, or constraint violations. type: string example: Must be at least 3 characters long fix: description: >- A human-readable suggestion describing how to fix the error. This provides practical guidance on what changes would satisfy the validation requirements. Not all validation errors include fix suggestions, but when present, they offer specific remediation advice. type: string example: >- Ensure the name uses only alphanumeric characters, underscores, and hyphens required: - location - message type: object description: >- Individual validation error details. Each validation error provides precise information about what failed, where it failed, and how to fix it, enabling efficient error resolution. KeyCreditsData: type: object description: Credit configuration and remaining balance for this key. properties: remaining: type: - integer - 'null' format: int64 minimum: 0 maximum: 9223372036854776000 description: Number of credits remaining (null for unlimited). example: 1000 refill: $ref: '#/components/schemas/KeyCreditsRefill' x-go-type-skip-optional-pointer: true x-go-type-skip-optional-pointer-with-omitzero: true required: - remaining additionalProperties: false Identity: type: object properties: id: type: string description: Identity ID externalId: type: string description: External identity ID meta: type: object additionalProperties: true description: Identity metadata x-go-type-skip-optional-pointer: true x-go-type-skip-optional-pointer-with-omitzero: true ratelimits: type: array description: Identity ratelimits items: $ref: '#/components/schemas/RatelimitResponse' x-go-type-skip-optional-pointer: true x-go-type-skip-optional-pointer-with-omitzero: true required: - externalId - id RatelimitResponse: type: object properties: id: type: string minLength: 8 maxLength: 255 pattern: ^rl_[a-zA-Z0-9_]+$ description: Unique identifier for this rate limit configuration. example: rl_1234567890abcdef name: type: string minLength: 1 maxLength: 128 description: Human-readable name for this rate limit. example: api_requests limit: type: integer format: int64 minimum: 1 maximum: 1000000 description: Maximum requests allowed within the time window. example: 1000 duration: type: integer format: int64 minimum: 1000 maximum: 2592000000 description: Rate limit window duration in milliseconds. example: 3600000 autoApply: type: boolean description: >- Whether this rate limit was automatically applied when verifying the key. example: true required: - id - name - limit - duration - autoApply additionalProperties: false KeyCreditsRefill: type: object description: Configuration for automatic credit refill behavior. properties: interval: type: string enum: - daily - monthly x-speakeasy-unknown-values: allow description: How often credits are automatically refilled. example: daily amount: type: integer format: int64 minimum: 1 maximum: 9223372036854776000 description: Number of credits to add during each refill cycle. example: 1000 refillDay: type: integer minimum: 1 maximum: 31 description: > Day of the month for monthly refills (1-31). Only required when interval is 'monthly'. For days beyond the month's length, refill occurs on the last day of the month. example: 15 x-go-type-skip-optional-pointer: true x-go-type-skip-optional-pointer-with-omitzero: true required: - interval - amount additionalProperties: false securitySchemes: rootKey: bearerFormat: root key description: >- Unkey uses API keys (root keys) for authentication. These keys authorize access to management operations in the API. To authenticate, include your root key in the Authorization header of each request: ``` Authorization: Bearer unkey_123 ``` Root keys have specific permissions attached to them, controlling what operations they can perform. Key permissions follow a hierarchical structure with patterns like `resource.resource_id.action` (e.g., `apis.*.create_key`, `apis.*.read_api`). Security best practices: - Keep root keys secure and never expose them in client-side code - Use different root keys for different environments - Rotate keys periodically, especially after team member departures - Create keys with minimal necessary permissions following least privilege principle - Monitor key usage with audit logs. scheme: bearer type: http ````