Skip to main content

Documentation Index

Fetch the complete documentation index at: https://unkey.com/docs/llms.txt

Use this file to discover all available pages before exploring further.

Unkey Deploy is in public beta. To try it, open the product switcher in the top-left of the dashboard and select Deploy. During beta, deployed resources are free. We’re eager for feedback, so let us know what you think on Discord, X, or email support@unkey.com.
The Firewall policy rejects requests before they reach your application. It is the Sentinel’s surface for blocking unwanted traffic at the deployment layer.

Actions

Every firewall rule denies the request when its match conditions hit. Sentinel responds with HTTP 403 Forbidden and skips all downstream policies, your upstream service is never invoked. Rules are evaluated top-to-bottom. The first matching rule blocks the request.

Match conditions

Firewall rules reuse Sentinel’s shared match conditions: path, method, request header (including User-Agent), and query parameter. A rule can combine multiple conditions, all of them must match for the rule to apply.

Observability

Denied requests are not currently written to the request log. Per-request visibility for firewall matches will land in a later release.

Not a DDoS mitigation

The Sentinel firewall runs after traffic has entered the platform. It’s the right place to protect your application from unwanted traffic and avoid invoking your instances for denied requests, but it is not an infrastructure-level DDoS shield. Platform-level abuse protection runs at our network ingress and is handled separately.
Last modified on May 6, 2026