> ## Documentation Index > Fetch the complete documentation index at: https://unkey.com/docs/llms.txt > Use this file to discover all available pages before exploring further. # Permissions > Complete reference of all root key permissions in Unkey. Control which API operations each root key can perform across your workspace. Each root key has a set of permissions that control which API operations it can perform. ## Permission format Permissions follow the pattern `{resource}.{scope}.{action}`. The scope determines which specific resource the permission applies to. ### Wildcards vs specific IDs The scope can be either a wildcard (`*`) or a specific resource ID: * `api.*.create_key` grants `create_key` on **all** keyspaces in the workspace. * `api.api_abc123.create_key` grants `create_key` on **only** that specific keyspace. The wildcard `*` means "all current and future resources of this type." A root key with `api.*.read_key` automatically gains read access to any keyspace created after the key was issued. A key with `api.api_abc123.read_key` can only read keys belonging to that one keyspace, even if new keyspaces are created later. You can mix wildcards and specific IDs on the same root key. For example, a key for your billing service might have: * `api.*.verify_key` to verify keys across all keyspaces * `api.api_billing.create_key` to create keys in only the billing keyspace * `ratelimit.*.limit` to enforce rate limits in any namespace When configuring a root key in the dashboard, workspace-wide permissions (using `*`) are listed at the top under "Workspace." Below them, under "From APIs," each keyspace in your workspace is listed so you can grant keyspace-scoped permissions selectively. Permission selection sheet Permission selection sheet ### Insufficient permissions If a root key attempts an operation it does not have permission for, the Unkey API returns a `403 Forbidden` response with an error indicating which permission is missing. Check the error message to determine which permission to add to the key. ## Keyspace permissions These permissions control management of keyspaces in your workspace. Create new keyspaces in the workspace. There is no keyspace-scoped variant of this permission, since the keyspace does not exist yet at creation time. Read information about a keyspace, including its name, configuration, and settings. Use `api.*.read_api` to read all keyspaces. Update a keyspace's configuration. Use `api.*.update_api` to update any keyspace. Delete a keyspace and all its associated keys. Granting this on a specific keyspace does not grant delete access to other keyspaces. Use `api.*.delete_api` to delete any keyspace. Query analytics data for a keyspace using SQL. Use `api.*.read_analytics` to query across all keyspaces. ## Key permissions These permissions control creation, verification, and management of API keys. Create new keys in a keyspace. Use `api.*.create_key` to create keys in any keyspace. Read information and analytics about keys, including metadata, expiration, remaining uses, and rate limit configuration. Use `api.*.read_key` to read keys across all keyspaces. Update a key's metadata, rate limits, expiration, remaining uses, or other properties. Use `api.*.update_key` to update keys in any keyspace. Delete keys belonging to a keyspace. Use `api.*.delete_key` to delete keys in any keyspace. Verify API keys and enforce their rate limits and permissions. This is the permission your backend server needs to validate incoming requests from your users. Use `api.*.verify_key` to verify keys across all keyspaces. Encrypt keys belonging to a keyspace. Unkey stores API keys as hashes by default. With this permission, you can store an encrypted copy of the plaintext key that can be retrieved later. Use `api.*.encrypt_key` for all keyspaces. Decrypt keys belonging to a keyspace. Required to retrieve the original plaintext value of a key that was stored with encryption. Without this permission, you can verify a key but cannot recover its value. Use `api.*.decrypt_key` for all keyspaces. ## Rate limit permissions These permissions control rate limit namespaces and overrides. All rate limit permissions use the `ratelimit.*` scope. Create new rate limit namespaces in the workspace. Namespaces group related rate limit configurations together. Read information about rate limit namespaces, including their configuration and current state. Update rate limit namespace configuration, such as changing the default limit or window duration. Delete rate limit namespaces from the workspace. Execute a rate limit check against an identifier. This is the permission your backend needs to enforce rate limits at runtime. Set a rate limit override for a specific identifier. Overrides let you grant higher or lower limits to individual users or entities without changing the namespace defaults. Read rate limit overrides for an identifier. Delete a rate limit override, reverting the identifier to the namespace default. ## RBAC permissions These permissions control your ability to manage the [RBAC system](/platform/apis/features/authorization/introduction) through the Unkey API. They govern who can create roles, define permissions, and assign them to API keys. This is a separate layer from the roles and permissions you define within RBAC itself. For example, `rbac.*.create_role` on a root key lets you call the API to create a new role, while the roles you create (like "editor" or "viewer") are assigned to your end-user API keys and checked at verification time. All RBAC permissions use the `rbac.*` scope. ### Roles Create a new role in the workspace. Roles are named collections of permissions that you can assign to API keys. Read roles and their associated permissions in the workspace. Delete a role from the workspace. Keys that had this role lose the permissions it granted. ### Permissions Create a new permission definition in the workspace. Permissions are the building blocks you assign to roles or directly to keys. Read permission definitions in the workspace. Delete a permission definition from the workspace. ### Key assignments Assign a role to an API key. The key inherits all permissions associated with that role. Remove a role from an API key. The key loses the permissions that role granted, unless another assigned role also grants them. Assign a permission directly to an API key, bypassing roles. Remove a directly assigned permission from an API key. ## Identity permissions These permissions control [identities](/platform/identities/overview), which let you associate multiple API keys with a single user or entity. All identity permissions use the `identity.*` scope. Create a new identity in the workspace. Read identity information, including external ID and metadata. Update an identity's metadata or other properties. Delete an identity from the workspace. ## Deployment permissions These permissions control Unkey Deploy operations. All deployment permissions use the `project.*` scope. Create new deployments in the workspace. Required for CI/CD pipelines that deploy through the Unkey API. Read deployment details and status, including build logs and instance health. Generate upload URLs for build contexts. Required during the deployment process to upload your application code. ## Common permission sets | Use case | Permissions | | --------------------- | ---------------------------------------------------------------------------- | | Verify keys only | `api.*.verify_key` | | Create keys for users | `api.*.create_key`, `api.*.read_key` | | Full key management | `api.*.create_key`, `api.*.read_key`, `api.*.update_key`, `api.*.delete_key` | | Rate limiting | `ratelimit.*.limit` | | Rate limit overrides | `ratelimit.*.set_override`, `ratelimit.*.read_override` | | CI/CD deployments | `project.*.create_deployment`, `project.*.generate_upload_url` | | RBAC management | `rbac.*.create_role`, `rbac.*.create_permission`, `rbac.*.add_role_to_key` |