Migrate API key(s)

Authorizations

Authorization

string

header

required

Unkey uses API keys (root keys) for authentication. These keys authorize access to management operations in the API. To authenticate, include your root key in the Authorization header of each request:

Authorization: Bearer unkey_123

Root keys have specific permissions attached to them, controlling what operations they can perform. Key permissions follow a hierarchical structure with patterns like resource.resource_id.action (e.g., apis.*.create_key, apis.*.read_api). Security best practices:

Keep root keys secure and never expose them in client-side code
Use different root keys for different environments
Rotate keys periodically, especially after team member departures
Create keys with minimal necessary permissions following least privilege principle
Monitor key usage with audit logs.

Body

application/json

migrationId

string

required

Identifier of the configured migration provider/strategy to use (e.g., "your_company"). You will receive this from Unkey's support staff.

Required string length: 3 - 255

Example:

"your_company"

apiId

string

required

The ID of the API that the keys should be inserted into

Required string length: 3 - 255

Example:

"api_123456789"

keys

object[]

required

Minimum array length: 1

Show child attributes

keys.hash

string

required

The current hash of the key on your side

Minimum string length: 3

Example:

"your_already_hashed_key"

keys.name

string

Sets a human-readable identifier for internal organization and dashboard display. Never exposed to end users, only visible in management interfaces and API responses. Avoid generic names like "API Key" when managing multiple keys for the same user or service.

Required string length: 1 - 255

Example:

"Payment Service Production Key"

keys.externalId

string

Links this key to a user or entity in your system using your own identifier. Returned during verification to identify the key owner without additional database lookups. Essential for user-specific analytics, billing, and multi-tenant key management. Use your primary user ID, organization ID, or tenant ID for best results. Accepts letters, numbers, underscores, dots, and hyphens for flexible identifier formats.

Required string length: 1 - 255

Example:

"user_1234abcd"

keys.meta

object

Stores arbitrary JSON metadata returned during key verification for contextual information. Eliminates additional database lookups during verification, improving performance for stateless services. Avoid storing sensitive data here as it's returned in verification responses. Large metadata objects increase verification latency and should stay under 10KB total size.

Example:

{
  "plan": "enterprise",
  "featureFlags": {
    "betaAccess": true,
    "concurrentConnections": 10
  },
  "customerName": "Acme Corp",
  "billing": {
    "tier": "premium",
    "renewal": "2024-12-31"
  }
}

keys.roles

string[]

Assigns existing roles to this key for permission management through role-based access control. Roles must already exist in your workspace before assignment. During verification, all permissions from assigned roles are checked against requested permissions. Roles provide a convenient way to group permissions and apply consistent access patterns across multiple keys.

Maximum array length: 100

Required string length: 1 - 100

Example:

["api_admin", "billing_reader"]

keys.permissions

string[]

Grants specific permissions directly to this key without requiring role membership. Wildcard permissions like documents.* grant access to all sub-permissions including documents.read and documents.write. Direct permissions supplement any permissions inherited from assigned roles.

Maximum array length: 1000

Required string length: 1 - 100

Example:

[
  "documents.read",
  "documents.write",
  "settings.view"
]

keys.expires

integer<int64>

Sets when this key automatically expires as a Unix timestamp in milliseconds. Verification fails with code=EXPIRED immediately after this time passes. Omitting this field creates a permanent key that never expires.

Avoid setting timestamps in the past as they immediately invalidate the key. Keys expire based on server time, not client time, which prevents timezone-related issues. Essential for trial periods, temporary access, and security compliance requiring key rotation.

Required range: 0 <= x <= 4102444800000

keys.enabled

boolean

default:true

Controls whether the key is active immediately upon creation. When set to false, the key exists but all verification attempts fail with code=DISABLED. Useful for pre-creating keys that will be activated later or for keys requiring manual approval. Most keys should be created with enabled=true for immediate use.

Example:

true

keys.credits

object

Controls usage-based limits through credit consumption with optional automatic refills. Unlike rate limits which control frequency, credits control total usage with global consistency. Essential for implementing usage-based pricing, subscription tiers, and hard usage quotas. Omitting this field creates unlimited usage, while setting null is not allowed during creation.

Show child attributes

keys.credits.remaining

integer<int64> | null

required

Number of credits remaining (null for unlimited).

Required range: 0 <= x <= 9223372036854776000

Example:

1000

keys.credits.refill

object

Configuration for automatic credit refill behavior.

Show child attributes

keys.credits.refill.interval

enum<string>

required

How often credits are automatically refilled.

Available options:

daily,

monthly

Example:

"daily"

keys.credits.refill.amount

integer<int64>

required

Number of credits to add during each refill cycle.

Required range: 1 <= x <= 9223372036854776000

Example:

1000

keys.credits.refill.refillDay

integer

Day of the month for monthly refills (1-31). Only required when interval is 'monthly'. For days beyond the month's length, refill occurs on the last day of the month.

Required range: 1 <= x <= 31

Example:

15

keys.ratelimits

object[]

Defines time-based rate limits that protect against abuse by controlling request frequency. Unlike credits which track total usage, rate limits reset automatically after each window expires. Multiple rate limits can control different operation types with separate thresholds and windows. Essential for preventing API abuse while maintaining good performance for legitimate usage.

Maximum array length: 50

Show child attributes

keys.ratelimits.name

string

required

The name of this rate limit. This name is used to identify which limit to check during key verification.

Best practices for limit names:

Use descriptive, semantic names like 'api_requests', 'heavy_operations', or 'downloads'
Be consistent with naming conventions across your application
Create separate limits for different resource types or operation costs
Consider using namespaced names for better organization (e.g., 'files.downloads', 'compute.training')

You will reference this exact name when verifying keys to check against this specific limit.

Required string length: 3 - 128

Example:

"api"

keys.ratelimits.limit

integer<int64>

required

The maximum number of operations allowed within the specified time window.

When this limit is reached, verification requests will fail with code=RATE_LIMITED until the window resets. The limit should reflect:

Your infrastructure capacity and scaling limitations
Fair usage expectations for your service
Different tier levels for various user types
The relative cost of the operations being limited

Higher values allow more frequent access but may impact service performance.

Required range: x >= 1

keys.ratelimits.duration

integer<int64>

required

The duration for each ratelimit window in milliseconds.

This controls how long the rate limit counter accumulates before resetting. Common values include:

1000 (1 second): For strict per-second limits on high-frequency operations
60000 (1 minute): For moderate API usage control
3600000 (1 hour): For less frequent but costly operations
86400000 (24 hours): For daily quotas

Shorter windows provide more frequent resets but may allow large burst usage. Longer windows provide more consistent usage patterns but take longer to reset after limit exhaustion.

Required range: x >= 1000

keys.ratelimits.autoApply

boolean

default:false

required

Whether this ratelimit should be automatically applied when verifying a key.

Example:

[
  {
    "name": "requests",
    "limit": 100,
    "duration": 60000,
    "autoApply": true
  },
  {
    "name": "heavy_operations",
    "limit": 10,
    "duration": 3600000,
    "autoApply": false
  }
]

Response

Successfully migrated keys.

Introduction

Endpoints

Authorizations

Body

Response