> ## Documentation Index > Fetch the complete documentation index at: https://unkey.com/docs/llms.txt > Use this file to discover all available pages before exploring further. # Verify API key > Verify an API key's validity and permissions for request authentication. Use this endpoint on every incoming request to your protected resources. It checks key validity, permissions, rate limits, and usage quotas in a single call. **Important**: Returns HTTP 200 for all verification outcomes — check the `valid` field in response data to determine if the key is authorized. A 429 may be returned if the workspace exceeds its API rate limit. **Common use cases:** - Authenticate API requests before processing - Enforce permission-based access control - Track usage and apply rate limits **Required Permissions** Your root key needs one of: - `api.*.verify_key` (verify keys in any API) - `api..verify_key` (verify keys in specific API) **Note**: If your root key has no verify permissions at all, you will receive a `403 Forbidden` error. If your root key has verify permissions for a different API than the key you're verifying, you will receive a `200` response with `code: NOT_FOUND` to avoid leaking key existence. ## OpenAPI ````yaml https://spec.speakeasy.com/unkey/unkey/openapi-json-with-code-samples post /v2/keys.verifyKey openapi: 3.1.0 info: description: >- Unkey's API provides programmatic access for all resources within our platform. ### Authentication # This API uses HTTP Bearer authentication with root keys. Most endpoints require specific permissions associated with your root key. When making requests, include your root key in the `Authorization` header: ``` Authorization: Bearer unkey_xxxxxxxxxxx ``` All responses follow a consistent envelope structure that separates operational metadata from actual data. This design provides several benefits: - Debugging: Every response includes a unique requestId for tracing issues - Consistency: Predictable response format across all endpoints - Extensibility: Easy to add new metadata without breaking existing integrations - Error Handling: Unified error format with actionable information ### Success Response Format: ```json { "meta": { "requestId": "req_123456" }, "data": { // Actual response data here } } ``` The meta object contains operational information: - `requestId`: Unique identifier for this request (essential for support) The data object contains the actual response data specific to each endpoint. ### Paginated Response Format: ```json { "meta": { "requestId": "req_123456" }, "data": [ // Array of results ], "pagination": { "cursor": "next_page_token", "hasMore": true } } ``` The pagination object appears on list endpoints and contains: - `cursor`: Token for requesting the next page - `hasMore`: Whether more results are available ### Error Response Format: ```json { "meta": { "requestId": "req_2c9a0jf23l4k567" }, "error": { "detail": "The resource you are attempting to modify is protected and cannot be changed", "status": 403, "title": "Forbidden", "type": "https://unkey.com/docs/errors/unkey/application/protected_resource" } } ``` Error responses include comprehensive diagnostic information: - `title`: Human-readable error summary - `detail`: Specific description of what went wrong - `status`: HTTP status code - `type`: Link to error documentation - `errors`: Array of validation errors (for 400 responses) This structure ensures you always have the context needed to debug issues and take corrective action. title: Unkey API version: 2.0.0 servers: - url: https://api.unkey.com security: - rootKey: [] tags: - description: Analytics query operations name: analytics - description: API management operations name: apis - description: Deployment operations name: deploy - description: Identity management operations name: identities - description: API key management operations name: keys - description: Health check operations name: liveness - description: Permission and role management operations name: permissions - description: Customer Portal session management name: portal - description: Rate limiting operations name: ratelimit paths: /v2/keys.verifyKey: post: tags: - keys summary: Verify API key description: > Verify an API key's validity and permissions for request authentication. Use this endpoint on every incoming request to your protected resources. It checks key validity, permissions, rate limits, and usage quotas in a single call. **Important**: Returns HTTP 200 for all verification outcomes — check the `valid` field in response data to determine if the key is authorized. A 429 may be returned if the workspace exceeds its API rate limit. **Common use cases:** - Authenticate API requests before processing - Enforce permission-based access control - Track usage and apply rate limits **Required Permissions** Your root key needs one of: - `api.*.verify_key` (verify keys in any API) - `api..verify_key` (verify keys in specific API) **Note**: If your root key has no verify permissions at all, you will receive a `403 Forbidden` error. If your root key has verify permissions for a different API than the key you're verifying, you will receive a `200` response with `code: NOT_FOUND` to avoid leaking key existence. operationId: keys.verifyKey requestBody: content: application/json: schema: $ref: '#/components/schemas/V2KeysVerifyKeyRequestBody' required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/V2KeysVerifyKeyResponseBody' description: > Key verification process completed. This endpoint always returns HTTP 200 regardless of whether the key passed or failed verification. You must check the `valid` field in the response data to determine the actual verification result. When verification succeeds, the response includes comprehensive information about the key including its current status, remaining credits, expiration time, associated permissions and roles, metadata, and any rate limiting information. This data enables your application to make informed authorization decisions and provide appropriate user experiences. When verification fails, the response indicates the specific reason through the `code` field while setting `valid` to false. The failure codes help you handle different scenarios appropriately, such as directing users to renew expired keys, upgrade for more credits, or contact support for disabled keys. The response also includes identity information when the key is associated with an identity, providing additional context about the key holder and any identity-specific rate limits or metadata that may apply to the verification. '400': content: application/json: examples: permissionsQuerySyntaxError: summary: Invalid permissions query syntax value: error: detail: >- Syntax error in permission query: unexpected token 'AND' at position 15. Expected permission name or opening parenthesis. errors: - fix: >- Check your query syntax. AND/OR operators must be between permissions, not at the start or end location: body.permissions message: unexpected token 'AND' at position 15 status: 400 title: Bad Request type: >- https://unkey.com/docs/errors/user/bad_request/permissions_query_syntax_error meta: requestId: req_01H9TQPP77V5E48E9SH0BG0ZQX schema: $ref: '#/components/schemas/BadRequestErrorResponse' description: Bad request '401': content: application/json: schema: $ref: '#/components/schemas/UnauthorizedErrorResponse' description: Unauthorized '403': content: application/json: schema: $ref: '#/components/schemas/ForbiddenErrorResponse' description: > Forbidden. Returned when the root key has no verify permissions at all (neither `api.*.verify_key` nor `api..verify_key` for any API). '404': content: application/json: schema: $ref: '#/components/schemas/NotFoundErrorResponse' description: Not found '429': content: application/problem+json: schema: $ref: '#/components/schemas/TooManyRequestsErrorResponse' description: Too Many Requests '500': content: application/json: schema: $ref: '#/components/schemas/InternalServerErrorResponse' description: Internal server error security: - rootKey: [] x-codeSamples: - lang: go label: Go (SDK) source: "package main\n\nimport(\n\t\"context\"\n\t\"os\"\n\tunkey \"github.com/unkeyed/sdks/api/go/v2\"\n\t\"github.com/unkeyed/sdks/api/go/v2/models/components\"\n\t\"log\"\n)\n\nfunc main() {\n ctx := context.Background()\n\n s := unkey.New(\n unkey.WithSecurity(os.Getenv(\"UNKEY_ROOT_KEY\")),\n )\n\n res, err := s.Keys.VerifyKey(ctx, components.V2KeysVerifyKeyRequestBody{\n Key: \"sk_1234abcdef\",\n Tags: []string{\n \"endpoint=/users/profile\",\n \"method=GET\",\n \"region=us-east-1\",\n \"clientVersion=2.3.0\",\n \"feature=premium\",\n },\n Permissions: unkey.Pointer(\"documents.read AND users.view\"),\n Credits: &components.KeysVerifyKeyCredits{\n Cost: 5,\n },\n Ratelimits: []components.KeysVerifyKeyRatelimit{\n components.KeysVerifyKeyRatelimit{\n Name: \"tokens\",\n Cost: unkey.Pointer[int64](2),\n Limit: unkey.Pointer[int64](50),\n Duration: unkey.Pointer[int64](600000),\n },\n },\n MigrationID: unkey.Pointer(\"m_1234abcd\"),\n })\n if err != nil {\n log.Fatal(err)\n }\n if res.V2KeysVerifyKeyResponseBody != nil {\n // handle response\n }\n}" - lang: python label: Python (SDK) source: |- from unkey.py import Unkey with Unkey( root_key="", ) as unkey: res = unkey.keys.verify_key(key="sk_1234abcdef", tags=[ "endpoint=/users/profile", "method=GET", "region=us-east-1", "clientVersion=2.3.0", "feature=premium", ], permissions="documents.read AND users.view", credits={ "cost": 5, }, ratelimits=[ { "name": "tokens", "cost": 2, "limit": 50, "duration": 600000, }, ], migration_id="m_1234abcd") # Handle response print(res) - lang: typescript label: Typescript (SDK) source: |- import { Unkey } from "@unkey/api"; const unkey = new Unkey({ rootKey: process.env["UNKEY_ROOT_KEY"] ?? "", }); async function run() { const result = await unkey.keys.verifyKey({ key: "sk_1234abcdef", tags: [ "endpoint=/users/profile", "method=GET", "region=us-east-1", "clientVersion=2.3.0", "feature=premium", ], permissions: "documents.read AND users.view", credits: { cost: 5, }, ratelimits: [ { name: "tokens", cost: 2, limit: 50, duration: 600000, }, ], migrationId: "m_1234abcd", }); console.log(result); } run(); components: schemas: V2KeysVerifyKeyRequestBody: type: object additionalProperties: false required: - key properties: key: type: string minLength: 1 maxLength: 512 description: > The API key to verify, exactly as provided by your user. Include any prefix - even small changes will cause verification to fail. example: sk_1234abcdef tags: type: array items: type: string minLength: 1 maxLength: 512 maxItems: 20 description: > Attaches metadata tags for analytics and monitoring without affecting verification outcomes. Enables segmentation of API usage in dashboards by endpoint, client version, region, or custom dimensions. Use 'key=value' format for compatibility with most analytics tools and clear categorization. Avoid including sensitive data in tags as they may appear in logs and analytics reports. example: - endpoint=/users/profile - method=GET - region=us-east-1 - clientVersion=2.3.0 - feature=premium permissions: type: string minLength: 1 maxLength: 1000 description: > Checks if the key has the specified permission(s) using a query syntax. Supports single permissions, logical operators (AND, OR), and parentheses for grouping. Examples: - Single permission: "documents.read" - Multiple permissions: "documents.read AND documents.write" - Complex queries: "(documents.read OR documents.write) AND users.view" Verification fails if the key lacks the required permissions through direct assignment or role inheritance. example: documents.read AND users.view credits: $ref: '#/components/schemas/KeysVerifyKeyCredits' ratelimits: type: array items: $ref: '#/components/schemas/KeysVerifyKeyRatelimit' description: > Enforces time-based rate limiting during verification to prevent abuse and ensure fair usage. Omitting this field skips rate limit checks entirely, relying only on configured key rate limits. Multiple rate limits can be checked simultaneously, each with different costs and temporary overrides. Rate limit checks are optimized for performance but may allow brief bursts during high concurrency. migrationId: type: string maxLength: 256 description: >- Migrate keys on demand from your previous system. Reach out for migration support at support@unkey.dev example: m_1234abcd V2KeysVerifyKeyResponseBody: type: object required: - meta - data properties: meta: $ref: '#/components/schemas/Meta' data: $ref: '#/components/schemas/V2KeysVerifyKeyResponseData' additionalProperties: false BadRequestErrorResponse: type: object required: - meta - error properties: meta: $ref: '#/components/schemas/Meta' error: $ref: '#/components/schemas/BadRequestErrorDetails' description: >- Error response for invalid requests that cannot be processed due to client-side errors. This typically occurs when request parameters are missing, malformed, or fail validation rules. The response includes detailed information about the specific errors in the request, including the location of each error and suggestions for fixing it. When receiving this error, check the 'errors' array in the response for specific validation issues that need to be addressed before retrying. UnauthorizedErrorResponse: type: object required: - meta - error properties: meta: $ref: '#/components/schemas/Meta' error: $ref: '#/components/schemas/BaseError' description: >- Error response when authentication has failed or credentials are missing. This occurs when: - No authentication token is provided in the request - The provided token is invalid, expired, or malformed - The token format doesn't match expected patterns To resolve this error, ensure you're including a valid root key in the Authorization header. ForbiddenErrorResponse: type: object required: - meta - error properties: meta: $ref: '#/components/schemas/Meta' error: $ref: '#/components/schemas/BaseError' description: >- Error response when the provided credentials are valid but lack sufficient permissions for the requested operation. This occurs when: - The root key doesn't have the required permissions for this endpoint - The operation requires elevated privileges that the current key lacks - Access to the requested resource is restricted based on workspace settings To resolve this error, ensure your root key has the necessary permissions or contact your workspace administrator. NotFoundErrorResponse: type: object required: - meta - error properties: meta: $ref: '#/components/schemas/Meta' error: $ref: '#/components/schemas/BaseError' description: >- Error response when the requested resource cannot be found. This occurs when: - The specified resource ID doesn't exist in your workspace - The resource has been deleted or moved - The resource exists but is not accessible with current permissions To resolve this error, verify the resource ID is correct and that you have access to it. TooManyRequestsErrorResponse: type: object required: - meta - error properties: meta: $ref: '#/components/schemas/Meta' error: $ref: '#/components/schemas/BaseError' description: >- Error response when the client has sent too many requests in a given time period. This occurs when you've exceeded a rate limit or quota for the resource you're accessing. The rate limit resets automatically after the time window expires. To avoid this error: - Implement exponential backoff when retrying requests - Cache results where appropriate to reduce request frequency - Check the error detail message for specific quota information - Contact support if you need a higher quota for your use case InternalServerErrorResponse: type: object required: - meta - error properties: meta: $ref: '#/components/schemas/Meta' error: $ref: '#/components/schemas/BaseError' description: >- Error response when an unexpected error occurs on the server. This indicates a problem with Unkey's systems rather than your request. When you encounter this error: - The request ID in the response can help Unkey support investigate the issue - The error is likely temporary and retrying may succeed - If the error persists, contact Unkey support with the request ID KeysVerifyKeyCredits: type: object required: - cost properties: cost: type: integer format: int64 minimum: 0 maximum: 1000000000000 description: > Sets how many credits to deduct for this verification request. Use 0 for read-only operations or free tier access, higher values for premium features. Credits are deducted after all security checks pass. Essential for implementing usage-based pricing with different operation costs. example: 5 additionalProperties: false description: > Controls credit consumption for usage-based billing and quota enforcement. Omitting this field uses the default cost of 1 credit per verification. Credits provide globally consistent usage tracking, essential for paid APIs with strict quotas. KeysVerifyKeyRatelimit: type: object required: - name properties: name: type: string minLength: 3 maxLength: 255 description: >- References an existing ratelimit by its name. Key Ratelimits will take precedence over identifier-based limits. example: tokens cost: type: integer minimum: 0 default: 1 description: >- Optionally override how expensive this operation is and how many tokens are deducted from the current limit. example: 2 limit: type: integer minimum: 0 description: >- Optionally override the maximum number of requests allowed within the specified interval. example: 50 duration: type: integer minimum: 0 description: Optionally override the duration of the rate limit window duration. example: 600000 Meta: type: object required: - requestId properties: requestId: description: >- A unique id for this request. Always include this ID when contacting support about a specific API request. This identifier allows Unkey's support team to trace the exact request through logs and diagnostic systems to provide faster assistance. example: req_123 type: string additionalProperties: false description: >- Metadata object included in every API response. This provides context about the request and is essential for debugging, audit trails, and support inquiries. The `requestId` is particularly important when troubleshooting issues with the Unkey support team. V2KeysVerifyKeyResponseData: type: object additionalProperties: false properties: valid: type: boolean description: > The primary verification result. If true, the key is valid and can be used. If false, check the 'code' field to understand why verification failed. Your application should always check this field first before proceeding. code: type: string enum: - VALID - NOT_FOUND - FORBIDDEN - INSUFFICIENT_PERMISSIONS - USAGE_EXCEEDED - RATE_LIMITED - DISABLED - EXPIRED x-speakeasy-unknown-values: allow description: > A machine-readable code indicating the verification status or failure reason. Values: `VALID` (key is valid and passed all checks), `NOT_FOUND` (key doesn't exist or belongs to wrong API), `FORBIDDEN` (key lacks required permissions), `INSUFFICIENT_PERMISSIONS` (key lacks specific required permissions for this request), `USAGE_EXCEEDED` (key has no remaining credits), `RATE_LIMITED` (key exceeded rate limits), `DISABLED` (key was explicitly disabled), `EXPIRED` (key has passed its expiration date). keyId: type: string description: > The unique identifier of the verified key in Unkey's system. Use this ID for operations like updating or revoking the key. This field is returned for both valid and invalid keys (except when `code=NOT_FOUND`). x-go-type-skip-optional-pointer: true x-go-type-skip-optional-pointer-with-omitzero: true name: type: string description: > The human-readable name assigned to this key during creation. This is useful for displaying in logs or admin interfaces to identify the key's purpose. x-go-type-skip-optional-pointer: true x-go-type-skip-optional-pointer-with-omitzero: true meta: type: object additionalProperties: true description: > Custom metadata associated with the key. This can include any JSON-serializable data you stored with the key during creation or updates, such as plan information, feature flags, or user details. Use this to avoid additional database lookups for contextual information needed during API calls. x-go-type-skip-optional-pointer: true x-go-type-skip-optional-pointer-with-omitzero: true expires: type: integer format: int64 description: > Unix timestamp (in milliseconds) when the key will expire. If omitted, the key has no expiration. You can use this to warn users about upcoming expirations or to understand the validity period. x-go-type-skip-optional-pointer: true x-go-type-skip-optional-pointer-with-omitzero: true credits: type: integer format: int64 description: > The number of requests/credits remaining for this key. If omitted, the key has unlimited usage. This value decreases with each verification (based on the 'cost' parameter) unless explicit credit refills are configured. enabled: type: boolean description: > Indicates if the key is currently enabled. Disabled keys will always fail verification with `code=DISABLED`. This is useful for implementing temporary suspensions without deleting the key. permissions: type: array items: type: string description: > A list of all permission names assigned to this key, either directly or through roles. These permissions determine what actions the key can perform. Only returned when permissions were checked during verification or when the key fails with `code=FORBIDDEN`. x-go-type-skip-optional-pointer: true x-go-type-skip-optional-pointer-with-omitzero: true roles: type: array items: type: string description: > A list of all role names assigned to this key. Roles are collections of permissions that grant access to specific functionality. Only returned when permissions were checked during verification. x-go-type-skip-optional-pointer: true x-go-type-skip-optional-pointer-with-omitzero: true identity: $ref: '#/components/schemas/Identity' description: > Information about the identity associated with this key. Identities allow multiple keys to share resources (like rate limits) and represent the same user or entity across different applications or devices. x-go-type-skip-optional-pointer: true x-go-type-skip-optional-pointer-with-omitzero: true ratelimits: type: array items: $ref: '#/components/schemas/VerifyKeyRatelimitData' description: The ratelimits that got checked x-go-type-skip-optional-pointer: true x-go-type-skip-optional-pointer-with-omitzero: true required: - valid - code BadRequestErrorDetails: allOf: - $ref: '#/components/schemas/BaseError' - type: object properties: errors: description: >- List of individual validation errors that occurred in the request. Each error provides specific details about what failed validation, where the error occurred in the request, and suggestions for fixing it. This granular information helps developers quickly identify and resolve multiple issues in a single request without having to make repeated API calls. items: $ref: '#/components/schemas/ValidationError' type: array required: - errors description: >- Extended error details specifically for bad request (400) errors. This builds on the BaseError structure by adding an array of individual validation errors, making it easy to identify and fix multiple issues at once. BaseError: properties: detail: description: >- A human-readable explanation specific to this occurrence of the problem. This provides detailed information about what went wrong and potential remediation steps. The message is intended to be helpful for developers troubleshooting the issue. example: Property foo is required but is missing. type: string status: description: >- HTTP status code that corresponds to this error. This will match the status code in the HTTP response. Common codes include `400` (Bad Request), `401` (Unauthorized), `403` (Forbidden), `404` (Not Found), `409` (Conflict), and `500` (Internal Server Error). example: 404 format: int type: integer title: description: >- A short, human-readable summary of the problem type. This remains constant from occurrence to occurrence of the same problem and should be used for programmatic handling. example: Not Found type: string type: description: >- A URI reference that identifies the problem type. This provides a stable identifier for the error that can be used for documentation lookups and programmatic error handling. When followed, this URI should provide human-readable documentation for the problem type. example: https://unkey.com/docs/errors/unkey/resource/not_found type: string required: - title - detail - status - type type: object additionalProperties: false description: >- Base error structure following Problem Details for HTTP APIs (RFC 7807). This provides a standardized way to carry machine-readable details of errors in HTTP response content. Identity: type: object properties: id: type: string description: Identity ID externalId: type: string description: External identity ID meta: type: object additionalProperties: true description: Identity metadata x-go-type-skip-optional-pointer: true x-go-type-skip-optional-pointer-with-omitzero: true ratelimits: type: array description: Identity ratelimits items: $ref: '#/components/schemas/RatelimitResponse' x-go-type-skip-optional-pointer: true x-go-type-skip-optional-pointer-with-omitzero: true required: - externalId - id VerifyKeyRatelimitData: type: object properties: exceeded: type: boolean description: Whether the rate limit was exceeded. id: type: string minLength: 8 maxLength: 255 pattern: ^rl_[a-zA-Z0-9_]+$ description: Unique identifier for this rate limit configuration. example: rl_1234567890abcdef name: type: string minLength: 1 maxLength: 128 description: Human-readable name for this rate limit. example: api_requests limit: type: integer format: int64 minimum: 1 maximum: 1000000 description: Maximum requests allowed within the time window. example: 1000 duration: type: integer format: int64 minimum: 1000 maximum: 2592000000 description: Rate limit window duration in milliseconds. example: 3600000 reset: type: integer format: int64 minimum: 1000 maximum: 2592000000 description: Rate limit reset duration in milliseconds. example: 3600000 remaining: type: integer format: int64 minimum: 0 maximum: 1000000 description: Rate limit remaining requests within the time window. example: 999 autoApply: type: boolean description: > Whether this rate limit should be automatically applied when verifying keys. When true, we will automatically apply this limit during verification without it being explicitly listed. example: true required: - id - exceeded - name - limit - duration - reset - remaining - autoApply additionalProperties: false ValidationError: additionalProperties: false properties: location: description: >- JSON path indicating exactly where in the request the error occurred. This helps pinpoint the problematic field or parameter. Examples include: - 'body.name' (field in request body) - 'body.items[3].tags' (nested array element) - 'path.apiId' (path parameter) - 'query.limit' (query parameter) Use this location to identify exactly which part of your request needs correction. type: string example: body.permissions[0].name message: description: >- Detailed error message explaining what validation rule was violated. This provides specific information about why the field or parameter was rejected, such as format errors, invalid values, or constraint violations. type: string example: Must be at least 3 characters long fix: description: >- A human-readable suggestion describing how to fix the error. This provides practical guidance on what changes would satisfy the validation requirements. Not all validation errors include fix suggestions, but when present, they offer specific remediation advice. type: string example: >- Ensure the name uses only alphanumeric characters, underscores, and hyphens required: - location - message type: object description: >- Individual validation error details. Each validation error provides precise information about what failed, where it failed, and how to fix it, enabling efficient error resolution. RatelimitResponse: type: object properties: id: type: string minLength: 8 maxLength: 255 pattern: ^rl_[a-zA-Z0-9_]+$ description: Unique identifier for this rate limit configuration. example: rl_1234567890abcdef name: type: string minLength: 1 maxLength: 128 description: Human-readable name for this rate limit. example: api_requests limit: type: integer format: int64 minimum: 1 maximum: 1000000 description: Maximum requests allowed within the time window. example: 1000 duration: type: integer format: int64 minimum: 1000 maximum: 2592000000 description: Rate limit window duration in milliseconds. example: 3600000 autoApply: type: boolean description: >- Whether this rate limit was automatically applied when verifying the key. example: true required: - id - name - limit - duration - autoApply additionalProperties: false securitySchemes: rootKey: bearerFormat: root key description: >- Unkey uses API keys (root keys) for authentication. These keys authorize access to management operations in the API. To authenticate, include your root key in the Authorization header of each request: ``` Authorization: Bearer unkey_123 ``` Root keys have specific permissions attached to them, controlling what operations they can perform. Key permissions follow a hierarchical structure with patterns like `resource.resource_id.action` (e.g., `apis.*.create_key`, `apis.*.read_api`). Security best practices: - Keep root keys secure and never expose them in client-side code - Use different root keys for different environments - Rotate keys periodically, especially after team member departures - Create keys with minimal necessary permissions following least privilege principle - Monitor key usage with audit logs. scheme: bearer type: http ````