api.*.update_key(to update keys in any API)api.<api_id>.update_key(to update keys in a specific API)
See the API reference for the full HTTP endpoint documentation.
Usage
Flags
The key ID to remove roles from. This is the database identifier returned from key creation — do not confuse it with the actual API key string that users include in requests. Removing roles only affects direct assignments, not permissions inherited from other sources. Role changes take effect immediately but may take up to 30 seconds to propagate across all regions.
Comma-separated list of role names to remove. Operations are idempotent — removing non-assigned roles has no effect and causes no errors. After removal, the key loses access to permissions that were only granted through these roles. Invalid role references cause the entire operation to fail atomically, ensuring consistent state.
Global Flags
| Flag | Type | Description |
|---|---|---|
--root-key | string | Override root key ($UNKEY_ROOT_KEY) |
--api-url | string | Override API base URL (default: https://api.unkey.com) |
--config | string | Path to config file (default: ~/.unkey/config.toml) |
--output | string | Output format — use json for raw JSON |
Examples
Output
Default output shows the request ID with latency, followed by the remaining roles assigned to the key:--output=json, the full response envelope is returned: