Once a key is generated, you can verify it using the verify endpoint. Our system verifies whether the key has the necessary permissions to perform the requested action(s). If the user’s role grants the required permissions, the request is allowed to proceed; otherwise, access is denied.

This will return valid if the key has the permission: admin

Single Permission

curl --request POST \
  --url https://api.unkey.dev/v1/keys.verifyKey \
  --header 'Content-Type: application/json' \
  --data '{
    "apiId": "api_1234",
    "key": "sk_1234",
    "authorization": {
      "permissions": "admin"
    }
  }'

Sometimes you just don’t know what permissions are required before loading resources from your database. In these cases you can manually check permissions as well.

1

Verify

Verify the key and all permissions that you already know before needing to query your database.

If the response is invalid, you can return early.

2

Query your database

The key is at least valid, so you can query our database to fetch more information.

3

Verify Permissions

The verification response from step 1 includes all permissions attached to the keys and looks something like this:

{
  valid: true,
  permissions: ["permission1", "permission2", ...]
  //... omited for brevity
}

Use the attached permissions and the context loaded from your database to determine if you should proceed handling the request or returning an authorization error.