api.*.update_key(to update keys in any API)api.<api_id>.update_key(to update keys in a specific API)
externalId that doesn’t exist, a new identity will be automatically created and linked to the key. Permission updates will auto-create any permissions that don’t exist in your workspace. Changes take effect immediately but may take up to 30 seconds to propagate to all edge regions due to cache invalidation.
See the API reference for the full HTTP endpoint documentation.
Usage
Flags
Specifies which key to update using the database identifier returned from
createKey. Do not confuse this with the actual API key string that users include in requests.Sets a human-readable name for internal organization and identification. Omitting this flag leaves the current name unchanged. Avoid generic names like “API Key” when managing multiple keys per user or service.
Links this key to a user or entity in your system for ownership tracking during verification. Omitting this flag preserves the current association. Essential for user-specific analytics, billing, and key management across multiple users.
JSON object of arbitrary metadata returned during key verification. Omitting this flag preserves existing metadata. Avoid storing sensitive data here as it’s returned in verification responses. Large metadata objects increase verification latency and should stay under 10KB total size.
Unix timestamp in milliseconds when the key automatically expires. Verification fails with
code=EXPIRED immediately after this time passes. Avoid setting timestamps in the past as they immediately invalidate the key. Keys expire based on server time, not client time.JSON object for credit and refill configuration. Controls usage-based limits for this key through credit consumption. Setting null enables unlimited usage. Essential for implementing usage-based pricing and subscription quotas.
JSON array of rate limit configurations. Defines time-based rate limits that protect against abuse by controlling request frequency. Unlike credits which track total usage, rate limits reset automatically after each window expires. Multiple rate limits can control different operation types with separate thresholds and windows.
Controls whether the key is currently active for verification requests. When set to
false, all verification attempts fail with code=DISABLED regardless of other settings. Useful for temporarily suspending access during billing issues, security incidents, or maintenance windows without losing key configuration.Comma-separated list of role names to assign. Roles must already exist in your workspace before assignment. During verification, all permissions from assigned roles are checked against requested permissions. Replaces all existing roles — use dedicated add/remove endpoints for incremental changes.
Comma-separated list of permission names to grant directly to this key. Wildcard permissions like
documents.* grant access to all sub-permissions. Direct permissions supplement any permissions inherited from assigned roles. Replaces all existing permissions — use dedicated add/remove endpoints for incremental changes.Global Flags
| Flag | Type | Description |
|---|---|---|
--root-key | string | Override root key ($UNKEY_ROOT_KEY) |
--api-url | string | Override API base URL (default: https://api.unkey.com) |
--config | string | Path to config file (default: ~/.unkey/config.toml) |
--output | string | Output format — use json for raw JSON |
Examples
Output
Default output shows the request ID with latency:--output=json, the full response envelope is returned: