documents.read, admin.users.delete, or billing.invoices.create for clear organization.
Important: Permission names must be unique within the workspace. Once created, permissions are immediately available for assignment.
Required permissions:
rbac.*.create_permission
See the API reference for the full HTTP endpoint documentation.
Usage
Flags
Human-readable name describing the permission’s purpose. Names must be unique within your workspace to prevent conflicts during assignment. Use clear, semantic names that developers can easily understand when building authorization logic. Consider using hierarchical naming conventions like
resource.action for better organization. Must be 1-512 characters.URL-safe identifier for use in APIs and integrations. Must start with a letter and contain only letters, numbers, periods, underscores, and hyphens. Slugs are often used in REST endpoints, configuration files, and external integrations. Must be unique within your workspace. Must be 1-128 characters.
Detailed documentation of what this permission grants access to. Include information about affected resources, allowed actions, and any important limitations. This internal documentation helps team members understand permission scope and security implications. Not visible to end users. Max 512 characters.
Global Flags
| Flag | Type | Description |
|---|---|---|
--root-key | string | Override root key ($UNKEY_ROOT_KEY) |
--api-url | string | Override API base URL (default: https://api.unkey.com) |
--config | string | Path to config file (default: ~/.unkey/config.toml) |
--output | string | Output format — use json for raw JSON |
Examples
Output
Default output shows the request ID with latency, followed by the created permission:--output=json, the full response envelope is returned: