Skip to main content
Remove permissions from a key without affecting existing roles or other permissions. Use this for privilege downgrades, removing temporary access, or plan changes that revoke specific capabilities. Permissions granted through roles remain unchanged. Important: Changes take effect immediately with up to 30-second edge propagation.

Required Permissions

Your root key must have one of the following permissions:
  • api.*.update_key (to update keys in any API)
  • api.<api_id>.update_key (to update keys in a specific API)

Side Effects

Invalidates the key cache for immediate effect, and makes permission changes available for verification within 30 seconds across all regions.

Request

keyId
string
required
Specifies which key to remove permissions from using the database identifier returned from keys.createKey.Do not confuse this with the actual API key string that users include in requests.Pattern: ^[a-zA-Z0-9_]+$Example: key_2cGKbMxRyIzhCxo1Idjz8q
permissions
array
required
Removes direct permissions from the key without affecting role-based permissions.You can either use a permission slug, or the permission ID.After removal, verification checks for these permissions will fail unless granted through roles.Pattern: ^[a-zA-Z0-9_:\-\.\*]+$Min items: 1Max items: 1000Example: ["documents.write", "settings.admin"]

Response

permissions
array
required
Complete list of all permissions remaining after the removal.Important: This list does NOT include permissions granted through roles.

Examples

curl -X POST https://api.unkey.com/v2/keys.removePermissions \
  -H "Authorization: Bearer <UNKEY_ROOT_KEY>" \
  -H "Content-Type: application/json" \
  -d '{
    "keyId": "key_1234abcd",
    "permissions": ["documents.write", "settings.admin"]
  }'

Response Example

{
  "meta": {
    "requestId": "req_abc123def456"
  },
  "data": [
    {
      "id": "perm_123",
      "name": "documents.read"
    }
  ]
}

Build docs developers (and LLMs) love

Get started for freeTalk to us