Back to Templates

Laravel middleware using Unkey RBAC

Protect your Laravel API

Written by
Protect your Laravel API

Laravel middleware with Unkey RBAC

This simple Laravel application demonstrates how to implement API key verification using Unkey. The application has both public and protected routes, with the protected route requiring a valid API key.


  • Public Route: Accessible without any authentication.
  • Protected Route: Requires a valid API key to access.
  • Middleware: Utilizes unkey for verification on protected routes.

Setup Unkey

  1. Create an unkey account
  2. Create a new API. Copy the API ID.
  3. Go to permissions and create a new permission named access-unkeyed-route
  4. Now go to roles and create a new role and select the withAuth permission for the role.
  5. Go to apis again and create a new key
  6. Click on the "Keys" tab.
  7. Select the key you created.
  8. Click on the "Permissions" tab.
  9. Check the role's checkbox to assign the role and permission to the key.
  10. Create a new root key from the settings/root-key with permission to create and read keys.
  11. You can follow this link to create the root key on the workspace level.,api..read_key
  12. Alternatively, follow this link to create the root key on the API level. Replace the API id with your API id.,api.api_id.read_key


  • PHP 3.x
  • Composer
  • An account with Unkey and your API ID and Root Key


  1. Clone this repository:

    1git clone
    2cd unkey-laravel-example
  2. Install dependencies:

    1composer install
  3. Generate an application key: Laravel requires an application key for encryption. You can generate one by running:

    1php artisan key:generate
  4. Set up your environment variables: Copy the .env.example into a .env file using cp .env.example .env in the project root and add the following variables. Get the Unkey API ID and Unkey rootkey from unkey dashboard

  5. Run the project. It should start on PORT 8000

    1php artisan serve


  • Public Route: Visit http://localhost:8000/public to access the public route.
  • Protected Route: Use a tool like Postman or curl to send a GET request to http://localhost:8000/protected with an Authorization header containing your API key.

Example protected request using curl:

1curl http://localhost:8000/public

Example protected request using curl ( MAKE SURE THE API KEY has the withAuth permission ):

1curl -H "Authorization: Bearer <api_key>" http://localhost:8000/protected

Protect your API.
Start today.

150,000 requests per month. No CC required.