> ## Documentation Index > Fetch the complete documentation index at: https://unkey.com/docs/llms.txt > Use this file to discover all available pages before exploring further. # Create API key > Create a new API key for user authentication and authorization. Use this endpoint when users sign up, upgrade subscription tiers, or need additional keys. Keys are cryptographically secure and unique to the specified API namespace. **Important**: The key is returned only once. Store it immediately and provide it to your user, as it cannot be retrieved later. **Common use cases:** - Generate keys for new user registrations - Create additional keys for different applications - Issue keys with specific permissions or limits **Required Permissions** Your root key needs one of: - `api.*.create_key` (create keys in any API) - `api..create_key` (create keys in specific API) ## OpenAPI ````yaml https://spec.speakeasy.com/unkey/unkey/openapi-json-with-code-samples post /v2/keys.createKey openapi: 3.1.0 info: description: >- Unkey's API provides programmatic access for all resources within our platform. ### Authentication # This API uses HTTP Bearer authentication with root keys. Most endpoints require specific permissions associated with your root key. When making requests, include your root key in the `Authorization` header: ``` Authorization: Bearer unkey_xxxxxxxxxxx ``` All responses follow a consistent envelope structure that separates operational metadata from actual data. This design provides several benefits: - Debugging: Every response includes a unique requestId for tracing issues - Consistency: Predictable response format across all endpoints - Extensibility: Easy to add new metadata without breaking existing integrations - Error Handling: Unified error format with actionable information ### Success Response Format: ```json { "meta": { "requestId": "req_123456" }, "data": { // Actual response data here } } ``` The meta object contains operational information: - `requestId`: Unique identifier for this request (essential for support) The data object contains the actual response data specific to each endpoint. ### Paginated Response Format: ```json { "meta": { "requestId": "req_123456" }, "data": [ // Array of results ], "pagination": { "cursor": "next_page_token", "hasMore": true } } ``` The pagination object appears on list endpoints and contains: - `cursor`: Token for requesting the next page - `hasMore`: Whether more results are available ### Error Response Format: ```json { "meta": { "requestId": "req_2c9a0jf23l4k567" }, "error": { "detail": "The resource you are attempting to modify is protected and cannot be changed", "status": 403, "title": "Forbidden", "type": "https://unkey.com/docs/errors/unkey/application/protected_resource" } } ``` Error responses include comprehensive diagnostic information: - `title`: Human-readable error summary - `detail`: Specific description of what went wrong - `status`: HTTP status code - `type`: Link to error documentation - `errors`: Array of validation errors (for 400 responses) This structure ensures you always have the context needed to debug issues and take corrective action. title: Unkey API version: 2.0.0 servers: - url: https://api.unkey.com security: - rootKey: [] tags: - description: Analytics query operations name: analytics - description: API management operations name: apis - description: Deployment operations name: deploy - description: Identity management operations name: identities - description: API key management operations name: keys - description: Health check operations name: liveness - description: Permission and role management operations name: permissions - description: Customer Portal session management name: portal - description: Rate limiting operations name: ratelimit paths: /v2/keys.createKey: post: tags: - keys summary: Create API key description: > Create a new API key for user authentication and authorization. Use this endpoint when users sign up, upgrade subscription tiers, or need additional keys. Keys are cryptographically secure and unique to the specified API namespace. **Important**: The key is returned only once. Store it immediately and provide it to your user, as it cannot be retrieved later. **Common use cases:** - Generate keys for new user registrations - Create additional keys for different applications - Issue keys with specific permissions or limits **Required Permissions** Your root key needs one of: - `api.*.create_key` (create keys in any API) - `api..create_key` (create keys in specific API) operationId: keys.createKey requestBody: content: application/json: schema: $ref: '#/components/schemas/V2KeysCreateKeyRequestBody' required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/V2KeysCreateKeyResponseBody' description: >- Successfully created a new API key. The response includes both the keyId (for reference in your system) and the full key string. IMPORTANT: This is the only time the complete key is available - it cannot be retrieved later. You must securely provide this key to your end user immediately. '400': content: application/json: schema: $ref: '#/components/schemas/BadRequestErrorResponse' description: Bad request '401': content: application/json: schema: $ref: '#/components/schemas/UnauthorizedErrorResponse' description: Unauthorized '403': content: application/json: schema: $ref: '#/components/schemas/ForbiddenErrorResponse' description: Forbidden '404': content: application/json: schema: $ref: '#/components/schemas/NotFoundErrorResponse' description: Not found '429': content: application/problem+json: schema: $ref: '#/components/schemas/TooManyRequestsErrorResponse' description: Too Many Requests '500': content: application/json: schema: $ref: '#/components/schemas/InternalServerErrorResponse' description: Internal server error security: - rootKey: [] x-codeSamples: - lang: go label: Go (SDK) source: "package main\n\nimport(\n\t\"context\"\n\t\"os\"\n\tunkey \"github.com/unkeyed/sdks/api/go/v2\"\n\t\"github.com/unkeyed/sdks/api/go/v2/models/components\"\n\t\"log\"\n)\n\nfunc main() {\n ctx := context.Background()\n\n s := unkey.New(\n unkey.WithSecurity(os.Getenv(\"UNKEY_ROOT_KEY\")),\n )\n\n res, err := s.Keys.CreateKey(ctx, components.V2KeysCreateKeyRequestBody{\n APIID: \"api_1234abcd\",\n Prefix: unkey.Pointer(\"prod\"),\n Name: unkey.Pointer(\"Payment Service Production Key\"),\n ByteLength: unkey.Pointer[int64](24),\n ExternalID: unkey.Pointer(\"user_1234abcd\"),\n Meta: map[string]any{\n \"plan\": \"enterprise\",\n \"featureFlags\": map[string]any{\n \"betaAccess\": true,\n \"concurrentConnections\": 10,\n },\n \"customerName\": \"Acme Corp\",\n \"billing\": map[string]any{\n \"tier\": \"premium\",\n \"renewal\": \"2024-12-31\",\n },\n },\n Roles: []string{\n \"api_admin\",\n \"billing_reader\",\n },\n Permissions: []string{\n \"documents.read\",\n \"documents.write\",\n \"settings.view\",\n },\n Expires: unkey.Pointer[int64](1704067200000),\n Credits: &components.KeyCreditsData{\n Remaining: unkey.Pointer[int64](1000),\n Refill: &components.KeyCreditsRefill{\n Interval: components.KeyCreditsRefillIntervalDaily,\n Amount: 1000,\n RefillDay: unkey.Pointer[int64](15),\n },\n },\n Ratelimits: []components.RatelimitRequest{\n components.RatelimitRequest{\n Name: \"requests\",\n Limit: 100,\n Duration: 60000,\n AutoApply: unkey.Pointer(true),\n },\n components.RatelimitRequest{\n Name: \"heavy_operations\",\n Limit: 10,\n Duration: 3600000,\n },\n },\n })\n if err != nil {\n log.Fatal(err)\n }\n if res.V2KeysCreateKeyResponseBody != nil {\n // handle response\n }\n}" - lang: python label: Python (SDK) source: |- from unkey.py import Unkey, models with Unkey( root_key="", ) as unkey: res = unkey.keys.create_key(api_id="api_1234abcd", prefix="prod", name="Payment Service Production Key", byte_length=24, external_id="user_1234abcd", meta={ "plan": "enterprise", "featureFlags": { "betaAccess": True, "concurrentConnections": 10, }, "customerName": "Acme Corp", "billing": { "tier": "premium", "renewal": "2024-12-31", }, }, roles=[ "api_admin", "billing_reader", ], permissions=[ "documents.read", "documents.write", "settings.view", ], expires=1704067200000, credits={ "remaining": 1000, "refill": { "interval": models.KeyCreditsRefillInterval.DAILY, "amount": 1000, "refill_day": 15, }, }, ratelimits=[ { "name": "requests", "limit": 100, "duration": 60000, "auto_apply": True, }, { "name": "heavy_operations", "limit": 10, "duration": 3600000, }, ], enabled=True, recoverable=False) # Handle response print(res) - lang: typescript label: Typescript (SDK) source: |- import { Unkey } from "@unkey/api"; const unkey = new Unkey({ rootKey: process.env["UNKEY_ROOT_KEY"] ?? "", }); async function run() { const result = await unkey.keys.createKey({ apiId: "api_1234abcd", prefix: "prod", name: "Payment Service Production Key", byteLength: 24, externalId: "user_1234abcd", meta: { "plan": "enterprise", "featureFlags": { "betaAccess": true, "concurrentConnections": 10, }, "customerName": "Acme Corp", "billing": { "tier": "premium", "renewal": "2024-12-31", }, }, roles: [ "api_admin", "billing_reader", ], permissions: [ "documents.read", "documents.write", "settings.view", ], expires: 1704067200000, credits: { remaining: 1000, refill: { interval: "daily", amount: 1000, refillDay: 15, }, }, ratelimits: [ { name: "requests", limit: 100, duration: 60000, autoApply: true, }, { name: "heavy_operations", limit: 10, duration: 3600000, }, ], }); console.log(result); } run(); components: schemas: V2KeysCreateKeyRequestBody: type: object required: - apiId properties: apiId: type: string minLength: 3 maxLength: 255 pattern: ^[a-zA-Z0-9_]+$ description: | The API namespace this key belongs to. Keys from different APIs cannot access each other. example: api_1234abcd prefix: type: string minLength: 1 maxLength: 16 pattern: ^[a-zA-Z0-9_]+$ description: > Adds a visual identifier to the beginning of the generated key for easier recognition in logs and dashboards. The prefix becomes part of the actual key string (e.g., `prod_xxxxxxxxx`). Avoid using sensitive information in prefixes as they may appear in logs and error messages. example: prod name: type: string minLength: 1 maxLength: 255 description: > Sets a human-readable identifier for internal organization and dashboard display. Never exposed to end users, only visible in management interfaces and API responses. Avoid generic names like "API Key" when managing multiple keys for the same user or service. example: Payment Service Production Key byteLength: type: integer minimum: 16 maximum: 255 default: 16 description: > Controls the cryptographic strength of the generated key in bytes. Higher values increase security but result in longer keys that may be more annoying to handle. The default 16 bytes provides 2^128 possible combinations, sufficient for most applications. Consider 32 bytes for highly sensitive APIs, but avoid values above 64 bytes unless specifically required. example: 24 externalId: type: string minLength: 1 maxLength: 255 pattern: ^[a-zA-Z0-9_.-]+$ description: > Links this key to a user or entity in your system using your own identifier. Returned during verification to identify the key owner without additional database lookups. Essential for user-specific analytics, billing, and multi-tenant key management. Use your primary user ID, organization ID, or tenant ID for best results. Accepts letters, numbers, underscores, dots, and hyphens for flexible identifier formats. example: user_1234abcd meta: type: object additionalProperties: true maxProperties: 100 description: > Stores arbitrary JSON metadata returned during key verification for contextual information. Eliminates additional database lookups during verification, improving performance for stateless services. Avoid storing sensitive data here as it's returned in verification responses. Large metadata objects increase verification latency and should stay under 10KB total size. example: plan: enterprise featureFlags: betaAccess: true concurrentConnections: 10 customerName: Acme Corp billing: tier: premium renewal: '2024-12-31' roles: type: array maxItems: 100 items: type: string minLength: 1 maxLength: 100 pattern: ^[a-zA-Z0-9_:\-\.\*]+$ description: > Assigns existing roles to this key for permission management through role-based access control. Roles must already exist in your workspace before assignment. During verification, all permissions from assigned roles are checked against requested permissions. Roles provide a convenient way to group permissions and apply consistent access patterns across multiple keys. example: - api_admin - billing_reader permissions: type: array maxItems: 1000 items: type: string minLength: 1 maxLength: 100 pattern: ^[a-zA-Z][a-zA-Z0-9._-]*$ description: > Grants specific permissions directly to this key without requiring role membership. Wildcard permissions like `documents.*` grant access to all sub-permissions including `documents.read` and `documents.write`. Direct permissions supplement any permissions inherited from assigned roles. example: - documents.read - documents.write - settings.view expires: type: integer format: int64 minimum: 0 maximum: 4102444800000 description: > Sets when this key automatically expires as a Unix timestamp in milliseconds. Verification fails with code=EXPIRED immediately after this time passes. Omitting this field creates a permanent key that never expires. Avoid setting timestamps in the past as they immediately invalidate the key. Keys expire based on server time, not client time, which prevents timezone-related issues. Essential for trial periods, temporary access, and security compliance requiring key rotation. example: 1704067200000 credits: $ref: '#/components/schemas/KeyCreditsData' description: > Controls usage-based limits through credit consumption with optional automatic refills. Unlike rate limits which control frequency, credits control total usage with global consistency. Essential for implementing usage-based pricing, subscription tiers, and hard usage quotas. Omitting this field creates unlimited usage, while setting null is not allowed during creation. ratelimits: type: array maxItems: 50 items: $ref: '#/components/schemas/RatelimitRequest' description: > Defines time-based rate limits that protect against abuse by controlling request frequency. Unlike credits which track total usage, rate limits reset automatically after each window expires. Multiple rate limits can control different operation types with separate thresholds and windows. Essential for preventing API abuse while maintaining good performance for legitimate usage. example: - name: requests limit: 100 duration: 60000 autoApply: true - name: heavy_operations limit: 10 duration: 3600000 autoApply: false enabled: type: boolean default: true description: > Controls whether the key is active immediately upon creation. When set to `false`, the key exists but all verification attempts fail with `code=DISABLED`. Useful for pre-creating keys that will be activated later or for keys requiring manual approval. Most keys should be created with `enabled=true` for immediate use. example: true recoverable: type: boolean default: false description: > Controls whether the plaintext key is stored in an encrypted vault for later retrieval. When true, allows recovering the actual key value using keys.getKey with decrypt=true. When false, the key value cannot be retrieved after creation for maximum security. Only enable for development keys or when key recovery is absolutely necessary. example: false additionalProperties: false V2KeysCreateKeyResponseBody: type: object required: - meta - data properties: meta: $ref: '#/components/schemas/Meta' data: $ref: '#/components/schemas/V2KeysCreateKeyResponseData' BadRequestErrorResponse: type: object required: - meta - error properties: meta: $ref: '#/components/schemas/Meta' error: $ref: '#/components/schemas/BadRequestErrorDetails' description: >- Error response for invalid requests that cannot be processed due to client-side errors. This typically occurs when request parameters are missing, malformed, or fail validation rules. The response includes detailed information about the specific errors in the request, including the location of each error and suggestions for fixing it. When receiving this error, check the 'errors' array in the response for specific validation issues that need to be addressed before retrying. UnauthorizedErrorResponse: type: object required: - meta - error properties: meta: $ref: '#/components/schemas/Meta' error: $ref: '#/components/schemas/BaseError' description: >- Error response when authentication has failed or credentials are missing. This occurs when: - No authentication token is provided in the request - The provided token is invalid, expired, or malformed - The token format doesn't match expected patterns To resolve this error, ensure you're including a valid root key in the Authorization header. ForbiddenErrorResponse: type: object required: - meta - error properties: meta: $ref: '#/components/schemas/Meta' error: $ref: '#/components/schemas/BaseError' description: >- Error response when the provided credentials are valid but lack sufficient permissions for the requested operation. This occurs when: - The root key doesn't have the required permissions for this endpoint - The operation requires elevated privileges that the current key lacks - Access to the requested resource is restricted based on workspace settings To resolve this error, ensure your root key has the necessary permissions or contact your workspace administrator. NotFoundErrorResponse: type: object required: - meta - error properties: meta: $ref: '#/components/schemas/Meta' error: $ref: '#/components/schemas/BaseError' description: >- Error response when the requested resource cannot be found. This occurs when: - The specified resource ID doesn't exist in your workspace - The resource has been deleted or moved - The resource exists but is not accessible with current permissions To resolve this error, verify the resource ID is correct and that you have access to it. TooManyRequestsErrorResponse: type: object required: - meta - error properties: meta: $ref: '#/components/schemas/Meta' error: $ref: '#/components/schemas/BaseError' description: >- Error response when the client has sent too many requests in a given time period. This occurs when you've exceeded a rate limit or quota for the resource you're accessing. The rate limit resets automatically after the time window expires. To avoid this error: - Implement exponential backoff when retrying requests - Cache results where appropriate to reduce request frequency - Check the error detail message for specific quota information - Contact support if you need a higher quota for your use case InternalServerErrorResponse: type: object required: - meta - error properties: meta: $ref: '#/components/schemas/Meta' error: $ref: '#/components/schemas/BaseError' description: >- Error response when an unexpected error occurs on the server. This indicates a problem with Unkey's systems rather than your request. When you encounter this error: - The request ID in the response can help Unkey support investigate the issue - The error is likely temporary and retrying may succeed - If the error persists, contact Unkey support with the request ID KeyCreditsData: type: object description: Credit configuration and remaining balance for this key. properties: remaining: type: - integer - 'null' format: int64 minimum: 0 maximum: 9223372036854776000 description: Number of credits remaining (null for unlimited). example: 1000 refill: $ref: '#/components/schemas/KeyCreditsRefill' x-go-type-skip-optional-pointer: true x-go-type-skip-optional-pointer-with-omitzero: true required: - remaining additionalProperties: false RatelimitRequest: type: object required: - name - limit - duration - autoApply properties: name: description: >- The name of this rate limit. This name is used to identify which limit to check during key verification. Best practices for limit names: - Use descriptive, semantic names like 'api_requests', 'heavy_operations', or 'downloads' - Be consistent with naming conventions across your application - Create separate limits for different resource types or operation costs - Consider using namespaced names for better organization (e.g., 'files.downloads', 'compute.training') You will reference this exact name when verifying keys to check against this specific limit. type: string example: api minLength: 3 maxLength: 128 limit: description: >- The maximum number of operations allowed within the specified time window. When this limit is reached, verification requests will fail with `code=RATE_LIMITED` until the window resets. The limit should reflect: - Your infrastructure capacity and scaling limitations - Fair usage expectations for your service - Different tier levels for various user types - The relative cost of the operations being limited Higher values allow more frequent access but may impact service performance. type: integer format: int64 minimum: 1 duration: description: >- The duration for each ratelimit window in milliseconds. This controls how long the rate limit counter accumulates before resetting. Common values include: - 1000 (1 second): For strict per-second limits on high-frequency operations - 60000 (1 minute): For moderate API usage control - 3600000 (1 hour): For less frequent but costly operations - 86400000 (24 hours): For daily quotas Shorter windows provide more frequent resets but may allow large burst usage. Longer windows provide more consistent usage patterns but take longer to reset after limit exhaustion. type: integer format: int64 minimum: 1000 autoApply: description: >- Whether this ratelimit should be automatically applied when verifying a key. type: boolean default: false Meta: type: object required: - requestId properties: requestId: description: >- A unique id for this request. Always include this ID when contacting support about a specific API request. This identifier allows Unkey's support team to trace the exact request through logs and diagnostic systems to provide faster assistance. example: req_123 type: string additionalProperties: false description: >- Metadata object included in every API response. This provides context about the request and is essential for debugging, audit trails, and support inquiries. The `requestId` is particularly important when troubleshooting issues with the Unkey support team. V2KeysCreateKeyResponseData: type: object properties: keyId: type: string description: >- The unique identifier for this key in Unkey's system. This is NOT the actual API key, but a reference ID used for management operations like updating or deleting the key. Store this ID in your database to reference the key later. This ID is not sensitive and can be logged or displayed in dashboards. example: key_2cGKbMxRyIzhCxo1Idjz8q key: type: string description: >- The full generated API key that should be securely provided to your user. SECURITY WARNING: This is the only time you'll receive the complete key - Unkey only stores a securely hashed version. Never log or store this value in your own systems; provide it directly to your end user via secure channels. After this API call completes, this value cannot be retrieved again (unless created with `recoverable=true`). example: prod_2cGKbMxRjIzhCxo1IdjH3arELti7Sdyc8w6XYbvtcyuBowPT required: - keyId - key BadRequestErrorDetails: allOf: - $ref: '#/components/schemas/BaseError' - type: object properties: errors: description: >- List of individual validation errors that occurred in the request. Each error provides specific details about what failed validation, where the error occurred in the request, and suggestions for fixing it. This granular information helps developers quickly identify and resolve multiple issues in a single request without having to make repeated API calls. items: $ref: '#/components/schemas/ValidationError' type: array required: - errors description: >- Extended error details specifically for bad request (400) errors. This builds on the BaseError structure by adding an array of individual validation errors, making it easy to identify and fix multiple issues at once. BaseError: properties: detail: description: >- A human-readable explanation specific to this occurrence of the problem. This provides detailed information about what went wrong and potential remediation steps. The message is intended to be helpful for developers troubleshooting the issue. example: Property foo is required but is missing. type: string status: description: >- HTTP status code that corresponds to this error. This will match the status code in the HTTP response. Common codes include `400` (Bad Request), `401` (Unauthorized), `403` (Forbidden), `404` (Not Found), `409` (Conflict), and `500` (Internal Server Error). example: 404 format: int type: integer title: description: >- A short, human-readable summary of the problem type. This remains constant from occurrence to occurrence of the same problem and should be used for programmatic handling. example: Not Found type: string type: description: >- A URI reference that identifies the problem type. This provides a stable identifier for the error that can be used for documentation lookups and programmatic error handling. When followed, this URI should provide human-readable documentation for the problem type. example: https://unkey.com/docs/errors/unkey/resource/not_found type: string required: - title - detail - status - type type: object additionalProperties: false description: >- Base error structure following Problem Details for HTTP APIs (RFC 7807). This provides a standardized way to carry machine-readable details of errors in HTTP response content. KeyCreditsRefill: type: object description: Configuration for automatic credit refill behavior. properties: interval: type: string enum: - daily - monthly x-speakeasy-unknown-values: allow description: How often credits are automatically refilled. example: daily amount: type: integer format: int64 minimum: 1 maximum: 9223372036854776000 description: Number of credits to add during each refill cycle. example: 1000 refillDay: type: integer minimum: 1 maximum: 31 description: > Day of the month for monthly refills (1-31). Only required when interval is 'monthly'. For days beyond the month's length, refill occurs on the last day of the month. example: 15 x-go-type-skip-optional-pointer: true x-go-type-skip-optional-pointer-with-omitzero: true required: - interval - amount additionalProperties: false ValidationError: additionalProperties: false properties: location: description: >- JSON path indicating exactly where in the request the error occurred. This helps pinpoint the problematic field or parameter. Examples include: - 'body.name' (field in request body) - 'body.items[3].tags' (nested array element) - 'path.apiId' (path parameter) - 'query.limit' (query parameter) Use this location to identify exactly which part of your request needs correction. type: string example: body.permissions[0].name message: description: >- Detailed error message explaining what validation rule was violated. This provides specific information about why the field or parameter was rejected, such as format errors, invalid values, or constraint violations. type: string example: Must be at least 3 characters long fix: description: >- A human-readable suggestion describing how to fix the error. This provides practical guidance on what changes would satisfy the validation requirements. Not all validation errors include fix suggestions, but when present, they offer specific remediation advice. type: string example: >- Ensure the name uses only alphanumeric characters, underscores, and hyphens required: - location - message type: object description: >- Individual validation error details. Each validation error provides precise information about what failed, where it failed, and how to fix it, enabling efficient error resolution. securitySchemes: rootKey: bearerFormat: root key description: >- Unkey uses API keys (root keys) for authentication. These keys authorize access to management operations in the API. To authenticate, include your root key in the Authorization header of each request: ``` Authorization: Bearer unkey_123 ``` Root keys have specific permissions attached to them, controlling what operations they can perform. Key permissions follow a hierarchical structure with patterns like `resource.resource_id.action` (e.g., `apis.*.create_key`, `apis.*.read_api`). Security best practices: - Keep root keys secure and never expose them in client-side code - Use different root keys for different environments - Rotate keys periodically, especially after team member departures - Create keys with minimal necessary permissions following least privilege principle - Monitor key usage with audit logs. scheme: bearer type: http ````