Prerequisites

If you plan to encrypt your keys, please contact us at support@unkey.dev to flag you in.

The root key used for migrating must have the api.*.encrypt_key permission to encrypt keys.

Extracting keys from your current system is likely the hardest part. It depends on how your keys are stored and how you can access them. Some providers have APIs to list all keys, while others require you to manually export them, some can provide the real key, and some only provide a hashed version.

Regardless of how you get your keys, you will need to provide either the plaintext key or the hash, as well as other settings to Unkey via the migrations.createKeys endpoint.

Nodejs Example


const { createHash } = require("node:crypto")

function hash(key) {
  return {
    value: createHash("sha256").update(key).digest("base64"),
    variant: "sha256_base64",
  }
}

const keys = [
  {
    hash: hash("my-secret-key"),
    ownerId: "hello",
    apiId: "<UNKEY_API_ID>", // the id of the API you created
    //... other settings
  },
  {
    hash: hash("my-other-secret-key"),
    name: "name",
    apiId: "<UNKEY_API_ID>", // the id of the API you created
    //... other settings
  },
]

fetch("https://api.unkey.dev/v1/migrations.createKeys", {
  method: "POST",
  headers: {
    "Content-Type": "application/json",
    Authorization: "Bearer <UNKEY_ROOT_KEY>",
  },
  body: JSON.stringify(keys)
})
.then(res=>res.json())
.then(res=>{console.log(res)})

Was this page helpful?

Overview