Skip to main content
Replace all permissions on a key with the specified set in a single atomic operation. Use this to synchronize with external systems, reset permissions to a known state, or apply standardized permission templates. Permissions granted through roles remain unchanged. Important: Changes take effect immediately with up to 30-second edge propagation.

Required Permissions

Your root key must have one of the following permissions:
  • api.*.update_key (to update keys in any API)
  • api.<api_id>.update_key (to update keys in a specific API)

Side Effects

Invalidates the key cache for immediate effect, and makes permission changes available for verification within 30 seconds across all regions.

Request

keyId
string
required
Specifies which key receives the additional permissions using the database identifier returned from keys.createKey.Do not confuse this with the actual API key string that users include in requests.Pattern: ^[a-zA-Z0-9_]+$Example: key_2cGKbMxRyIzhCxo1Idjz8q
permissions
array
The permissions to set for this key.This is a complete replacement operation - it overwrites all existing direct permissions with this new set.Key behaviors:
  • Providing an empty array removes all direct permissions from the key
  • This only affects direct permissions - permissions granted through roles are not affected
  • All existing direct permissions not included in this list will be removed
Any permissions that do not exist will be auto created if the root key has permissions, otherwise this operation will fail with a 403 error.Pattern: ^[a-zA-Z0-9_:\-\.\*]+$Example: ["documents.read", "documents.write"]

Response

permissions
array
required
Complete list of all permissions currently assigned to the key.Important: This list does NOT include permissions granted through roles. For a complete permission picture, use keys.getKey instead.

Examples

curl -X POST https://api.unkey.com/v2/keys.setPermissions \
  -H "Authorization: Bearer <UNKEY_ROOT_KEY>" \
  -H "Content-Type: application/json" \
  -d '{
    "keyId": "key_1234abcd",
    "permissions": ["documents.read", "documents.write"]
  }'

Remove All Permissions

curl -X POST https://api.unkey.com/v2/keys.setPermissions \
  -H "Authorization: Bearer <UNKEY_ROOT_KEY>" \
  -H "Content-Type: application/json" \
  -d '{
    "keyId": "key_1234abcd",
    "permissions": []
  }'

Response Example

{
  "meta": {
    "requestId": "req_abc123def456"
  },
  "data": [
    {
      "id": "perm_123",
      "name": "documents.read"
    },
    {
      "id": "perm_124",
      "name": "documents.write"
    }
  ]
}

Build docs developers (and LLMs) love

Get started for freeTalk to us