Skip to main content
Security is foundational to Unkey. We handle API keys for your production systems, so we take this responsibility seriously.

Key security principles

Keys are never stored in plaintext

We hash your API keys before storage. Even if our database were compromised, attackers couldn’t recover the original keys.

You control the lifecycle

Create, rotate, and revoke keys instantly. Changes propagate globally within seconds.

Minimal permissions by default

Root keys use explicit permissions. Grant only what’s needed for each use case.

Audit everything

Every key operation is logged. Know who did what, when, from where.

How API key storage works

When you create an API key through Unkey:
1

Key generation

We generate a cryptographically random key (e.g., sk_live_abc123xyz...)
2

Key returned to you (once)

The plaintext key is returned in the API response. This is the only time you’ll see it.
3

Hash stored

We compute a SHA-256 hash of the key and store only the hash in our database.
4

Verification

When a key is verified, we hash the provided key and compare it to the stored hash. Match = valid.
Your key:    sk_live_abc123xyz789...
Stored:      a3f2b8c9d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1
                     ↑ SHA-256 hash (cannot be reversed)
This is the same approach used by GitHub, Stripe, and other security-conscious platforms. Even with full database access, an attacker cannot recover your original keys.

Encryption at rest

For keys that require recovery (optional feature), we store encrypted versions in our secure vault:
  • Secrets are encrypted at rest using industry-standard encryption
  • A leak of vault data does not expose secrets
  • A leak of the main database does not expose secrets
  • A leak of the main encryption keys does not expose secrets
An attacker would need access to the vault, the main database, and the main encryption keys to decrypt secrets. We rotate encryption keys regularly and run vault on separate infrastructure from the main database.
By default, we only store key hashes, not encrypted keys. Key recovery is an opt-in feature that requires explicit permission.

Root keys

Root keys authenticate your requests to the Unkey API itself. They’re how you create, manage, and verify API keys programmatically. Best practices:
  • Use separate root keys for different environments (dev, staging, production)
  • Grant minimal permissions — only what each service needs
  • Rotate root keys periodically
  • Never commit root keys to version control
Learn more about root keys →

Infrastructure security

LayerProtection
TransportAll API traffic uses TLS 1.3. No plaintext connections accepted.
InfrastructureRequests are processed across our globally distributed infrastructure, with DDoS protection.
DatabaseEncrypted at rest and in transit. Regular backups with point-in-time recovery.
AccessInternal access requires multi-factor authentication and is logged.

Compliance & certifications

We’re actively working toward SOC 2 Type II certification. If you have specific compliance requirements, contact us to discuss.

Responsible disclosure

Found a security issue? We appreciate responsible disclosure.
  • Email: [email protected]
  • Please include steps to reproduce
  • We’ll acknowledge within 48 hours

More security features

Root Key Permissions

Fine-grained access control for your root keys

Key Recovery

Securely recover keys when needed

Delete Protection

Prevent accidental deletion of critical resources

Build docs developers (and LLMs) love

Get started for freeTalk to us