@unkey/api

Developer-friendly & type-safe Typescript SDK specifically catered to leverage @unkey/api API.

Summary

Unkey API: Unkey's API provides programmatic access for all resources within our platform.

Authentication

This API uses HTTP Bearer authentication with root keys. Most endpoints require specific permissions associated with your root key. When making requests, include your root key in the Authorization header:

Authorization: Bearer unkey_xxxxxxxxxxx

All responses follow a consistent envelope structure that separates operational metadata from actual data. This design provides several benefits:

• Debugging: Every response includes a unique requestId for tracing issues
• Consistency: Predictable response format across all endpoints
• Extensibility: Easy to add new metadata without breaking existing integrations
• Error Handling: Unified error format with actionable information

Success Response Format:

{
  "meta": {
    "requestId": "req_123456"
  },
  "data": {
    // Actual response data here
  }
}

The meta object contains operational information:

• requestId: Unique identifier for this request (essential for support)

The data object contains the actual response data specific to each endpoint.

Paginated Response Format:

{
  "meta": {
    "requestId": "req_123456"
  },
  "data": [
    // Array of results
  ],
  "pagination": {
    "cursor": "next_page_token",
    "hasMore": true
  }
}

The pagination object appears on list endpoints and contains:

• cursor: Token for requesting the next page
• hasMore: Whether more results are available

Error Response Format:

{
  "meta": {
    "requestId": "req_2c9a0jf23l4k567"
  },
  "error": {
    "detail": "The resource you are attempting to modify is protected and cannot be changed",
    "status": 403,
    "title": "Forbidden",
    "type": "https://unkey.com/docs/errors/unkey/application/protected_resource"
  }
}

Error responses include comprehensive diagnostic information:

• title: Human-readable error summary
• detail: Specific description of what went wrong
• status: HTTP status code
• type: Link to error documentation
• errors: Array of validation errors (for 400 responses)

This structure ensures you always have the context needed to debug issues and take corrective action.

Table of Contents

• @unkey/api
  • SDK Installation
  • Requirements
  • SDK Example Usage
  • Authentication
  • Available Resources and Operations
  • Standalone functions
  • Pagination
  • Retries
  • Error Handling
  • Server Selection
  • Custom HTTP Client
  • Debugging
• Development
  • Maturity
  • Contributions

SDK Installation

The SDK can be installed with either npm, pnpm, bun or yarn package managers.

NPM

npm add @unkey/api

PNPM

pnpm add @unkey/api

Bun

bun add @unkey/api

Yarn

yarn add @unkey/api

[!NOTE] This package is published with CommonJS and ES Modules (ESM) support.

Requirements

For supported JavaScript runtimes, please consult RUNTIMES.md.

SDK Example Usage

Example

import { Unkey } from "@unkey/api";

const unkey = new Unkey({
  rootKey: process.env["UNKEY_ROOT_KEY"] ?? "",
});

async function run() {
  const result = await unkey.analytics.getVerifications({
    query:
      "SELECT COUNT(*) as total FROM key_verifications_v1 WHERE outcome = 'VALID' AND time >= now() - INTERVAL 7 DAY",
  });

  console.log(result);
}

run();

Authentication

Per-Client Security Schemes

This SDK supports the following security scheme globally:

| Name | Type | Scheme | Environment Variable | | --------- | ---- | ----------- | -------------------- | | rootKey | http | HTTP Bearer | UNKEY_ROOT_KEY |

To authenticate with the API the rootKey parameter must be set when initializing the SDK client instance. For example:

import { Unkey } from "@unkey/api";

const unkey = new Unkey({
  rootKey: process.env["UNKEY_ROOT_KEY"] ?? "",
});

async function run() {
  const result = await unkey.analytics.getVerifications({
    query:
      "SELECT COUNT(*) as total FROM key_verifications_v1 WHERE outcome = 'VALID' AND time >= now() - INTERVAL 7 DAY",
  });

  console.log(result);
}

run();

Available Resources and Operations

analytics

• getVerifications - Query key verification data

apis

• createApi - Create API namespace
• deleteApi - Delete API namespace
• getApi - Get API namespace
• listKeys - List API keys

identities

• createIdentity - Create Identity
• deleteIdentity - Delete Identity
• getIdentity - Get Identity
• listIdentities - List Identities
• updateIdentity - Update Identity

keys

• addPermissions - Add key permissions
• addRoles - Add key roles
• createKey - Create API key
• deleteKey - Delete API keys
• getKey - Get API key
• migrateKeys - Migrate API key(s)
• removePermissions - Remove key permissions
• removeRoles - Remove key roles
• rerollKey - Reroll Key
• setPermissions - Set key permissions
• setRoles - Set key roles
• updateCredits - Update key credits
• updateKey - Update key settings
• verifyKey - Verify API key
• whoami - Get API key by hash

permissions

• createPermission - Create permission
• createRole - Create role
• deletePermission - Delete permission
• deleteRole - Delete role
• getPermission - Get permission
• getRole - Get role
• listPermissions - List permissions
• listRoles - List roles

ratelimit

• deleteOverride - Delete ratelimit override
• getOverride - Get ratelimit override
• limit - Apply rate limiting
• listOverrides - List ratelimit overrides
• multiLimit - Apply multiple rate limit checks
• setOverride - Set ratelimit override

Standalone functions

All the methods listed above are available as standalone functions. These functions are ideal for use in applications running in the browser, serverless runtimes or other environments where application bundle size is a primary concern. When using a bundler to build your application, all unused functionality will be either excluded from the final bundle or tree-shaken away.

To read more about standalone functions, check FUNCTIONS.md.

• analyticsGetVerifications - Query key verification data
• apisCreateApi - Create API namespace
• apisDeleteApi - Delete API namespace
• apisGetApi - Get API namespace
• apisListKeys - List API keys
• identitiesCreateIdentity - Create Identity
• identitiesDeleteIdentity - Delete Identity
• identitiesGetIdentity - Get Identity
• identitiesListIdentities - List Identities
• identitiesUpdateIdentity - Update Identity
• keysAddPermissions - Add key permissions
• keysAddRoles - Add key roles
• keysCreateKey - Create API key
• keysDeleteKey - Delete API keys
• keysGetKey - Get API key
• keysMigrateKeys - Migrate API key(s)
• keysRemovePermissions - Remove key permissions
• keysRemoveRoles - Remove key roles
• keysRerollKey - Reroll Key
• keysSetPermissions - Set key permissions
• keysSetRoles - Set key roles
• keysUpdateCredits - Update key credits
• keysUpdateKey - Update key settings
• keysVerifyKey - Verify API key
• keysWhoami - Get API key by hash
• permissionsCreatePermission - Create permission
• permissionsCreateRole - Create role
• permissionsDeletePermission - Delete permission
• permissionsDeleteRole - Delete role
• permissionsGetPermission - Get permission
• permissionsGetRole - Get role
• permissionsListPermissions - List permissions
• permissionsListRoles - List roles
• ratelimitDeleteOverride - Delete ratelimit override
• ratelimitGetOverride - Get ratelimit override
• ratelimitLimit - Apply rate limiting
• ratelimitListOverrides - List ratelimit overrides
• ratelimitMultiLimit - Apply multiple rate limit checks
• ratelimitSetOverride - Set ratelimit override

Pagination

Some of the endpoints in this SDK support pagination. To use pagination, you make your SDK calls as usual, but the returned response object will also be an async iterable that can be consumed using the for await...of syntax.

Here's an example of one such pagination call:

import { Unkey } from "@unkey/api";

const unkey = new Unkey({
  rootKey: process.env["UNKEY_ROOT_KEY"] ?? "",
});

async function run() {
  const result = await unkey.identities.listIdentities({
    limit: 50,
  });

  for await (const page of result) {
    console.log(page);
  }
}

run();

Retries

Some of the endpoints in this SDK support retries. If you use the SDK without any configuration, it will fall back to the default retry strategy provided by the API. However, the default retry strategy can be overridden on a per-operation basis, or across the entire SDK.

To change the default retry strategy for a single API call, simply provide a retryConfig object to the call:

import { Unkey } from "@unkey/api";

const unkey = new Unkey({
  rootKey: process.env["UNKEY_ROOT_KEY"] ?? "",
});

async function run() {
  const result = await unkey.analytics.getVerifications({
    query:
      "SELECT COUNT(*) as total FROM key_verifications_v1 WHERE outcome = 'VALID' AND time >= now() - INTERVAL 7 DAY",
  }, {
    retries: {
      strategy: "backoff",
      backoff: {
        initialInterval: 1,
        maxInterval: 50,
        exponent: 1.1,
        maxElapsedTime: 100,
      },
      retryConnectionErrors: false,
    },
  });

  console.log(result);
}

run();

If you'd like to override the default retry strategy for all operations that support retries, you can provide a retryConfig at SDK initialization:

import { Unkey } from "@unkey/api";

const unkey = new Unkey({
  retryConfig: {
    strategy: "backoff",
    backoff: {
      initialInterval: 1,
      maxInterval: 50,
      exponent: 1.1,
      maxElapsedTime: 100,
    },
    retryConnectionErrors: false,
  },
  rootKey: process.env["UNKEY_ROOT_KEY"] ?? "",
});

async function run() {
  const result = await unkey.analytics.getVerifications({
    query:
      "SELECT COUNT(*) as total FROM key_verifications_v1 WHERE outcome = 'VALID' AND time >= now() - INTERVAL 7 DAY",
  });

  console.log(result);
}

run();

Error Handling

UnkeyError is the base class for all HTTP error responses. It has the following properties:

| Property | Type | Description | | ------------------- | ---------- | --------------------------------------------------------------------------------------- | | error.message | string | Error message | | error.statusCode | number | HTTP response status code eg 404 | | error.headers | Headers | HTTP response headers | | error.body | string | HTTP body. Can be empty string if no body is returned. | | error.rawResponse | Response | Raw HTTP response | | error.data$ | | Optional. Some errors may contain structured data. See Error Classes. |

Example

import { Unkey } from "@unkey/api";
import * as errors from "@unkey/api/models/errors";

const unkey = new Unkey({
  rootKey: process.env["UNKEY_ROOT_KEY"] ?? "",
});

async function run() {
  try {
    const result = await unkey.analytics.getVerifications({
      query:
        "SELECT COUNT(*) as total FROM key_verifications_v1 WHERE outcome = 'VALID' AND time >= now() - INTERVAL 7 DAY",
    });

    console.log(result);
  } catch (error) {
    // The base class for HTTP error responses
    if (error instanceof errors.UnkeyError) {
      console.log(error.message);
      console.log(error.statusCode);
      console.log(error.body);
      console.log(error.headers);

      // Depending on the method different errors may be thrown
      if (error instanceof errors.BadRequestErrorResponse) {
        console.log(error.data$.meta); // components.Meta
        console.log(error.data$.error); // components.BadRequestErrorDetails
      }
    }
  }
}

run();

Error Classes

Primary errors:

• UnkeyError: The base class for HTTP error responses.
  • BadRequestErrorResponse: Error response for invalid requests that cannot be processed due to client-side errors. This typically occurs when request parameters are missing, malformed, or fail validation rules. The response includes detailed information about the specific errors in the request, including the location of each error and suggestions for fixing it. When receiving this error, check the 'errors' array in the response for specific validation issues that need to be addressed before retrying. Status code 400.
  • UnauthorizedErrorResponse: Error response when authentication has failed or credentials are missing. This occurs when: - No authentication token is provided in the request - The provided token is invalid, expired, or malformed - The token format doesn't match expected patterns To resolve this error, ensure you're including a valid root key in the Authorization header. Status code 401.
  • ForbiddenErrorResponse: Error response when the provided credentials are valid but lack sufficient permissions for the requested operation. This occurs when: - The root key doesn't have the required permissions for this endpoint - The operation requires elevated privileges that the current key lacks - Access to the requested resource is restricted based on workspace settings To resolve this error, ensure your root key has the necessary permissions or contact your workspace administrator. Status code 403.
  • InternalServerErrorResponse: Error response when an unexpected error occurs on the server. This indicates a problem with Unkey's systems rather than your request. When you encounter this error: - The request ID in the response can help Unkey support investigate the issue - The error is likely temporary and retrying may succeed - If the error persists, contact Unkey support with the request ID. Status code 500.
  • NotFoundErrorResponse: Error response when the requested resource cannot be found. This occurs when: - The specified resource ID doesn't exist in your workspace - The resource has been deleted or moved - The resource exists but is not accessible with current permissions To resolve this error, verify the resource ID is correct and that you have access to it. Status code 404. *

Network errors:

• ConnectionError: HTTP client was unable to make a request to a server.
• RequestTimeoutError: HTTP request timed out due to an AbortSignal signal.
• RequestAbortedError: HTTP request was aborted by the client.
• InvalidRequestError: Any input used to create a request is invalid.
• UnexpectedClientError: Unrecognised or unexpected error.

Inherit from UnkeyError:

• ConflictErrorResponse: Error response when the request conflicts with the current state of the resource. This occurs when: - Attempting to create a resource that already exists - Modifying a resource that has been changed by another operation - Violating unique constraints or business rules To resolve this error, check the current state of the resource and adjust your request accordingly. Status code 409. Applicable to 3 of 39 methods.*
• GoneErrorResponse: Error response when the requested resource has been soft-deleted and is no longer available. This occurs when: - The resource has been marked as deleted but still exists in the database - The resource is intentionally unavailable but could potentially be restored - The resource cannot be restored through the API or dashboard To resolve this error, contact support if you need the resource restored. Status code 410. Applicable to 2 of 39 methods.*
• PreconditionFailedErrorResponse: Error response when one or more conditions specified in the request headers are not met. This typically occurs when: - Using conditional requests with If-Match or If-None-Match headers - The resource version doesn't match the expected value - Optimistic concurrency control detects a conflict To resolve this error, fetch the latest version of the resource and retry with updated conditions. Status code 412. Applicable to 1 of 39 methods.*
• UnprocessableEntityErrorResponse: Error response when the request is syntactically valid but cannot be processed due to semantic constraints or resource limitations. This occurs when: - A query exceeds execution time limits - A query uses more memory than allowed - A query scans too many rows - A query result exceeds size limits The request syntax is correct, but the operation cannot be completed due to business rules or resource constraints. Review the error details for specific limitations and adjust your request accordingly. Status code 422. Applicable to 1 of 39 methods.*
• TooManyRequestsErrorResponse: Error response when the client has sent too many requests in a given time period. This occurs when you've exceeded a rate limit or quota for the resource you're accessing. The rate limit resets automatically after the time window expires. To avoid this error: - Implement exponential backoff when retrying requests - Cache results where appropriate to reduce request frequency - Check the error detail message for specific quota information - Contact support if you need a higher quota for your use case. Status code 429. Applicable to 1 of 39 methods.*
• ServiceUnavailableErrorResponse: Error response when a required service is temporarily unavailable. This indicates that the service exists but cannot be reached or is not responding. When you encounter this error: - The service is likely experiencing temporary issues - Retrying the request after a short delay may succeed - If the error persists, the service may be undergoing maintenance - Contact Unkey support if the issue continues. Status code 503. Applicable to 1 of 39 methods.*
• ResponseValidationError: Type mismatch between the data returned from the server and the structure expected by the SDK. See error.rawValue for the raw value and error.pretty() for a nicely formatted multi-line string.

* Check the method documentation to see if the error is applicable.

Server Selection

Override Server URL Per-Client

The default server can be overridden globally by passing a URL to the serverURL: string optional parameter when initializing the SDK client instance. For example:

import { Unkey } from "@unkey/api";

const unkey = new Unkey({
  serverURL: "https://api.unkey.com",
  rootKey: process.env["UNKEY_ROOT_KEY"] ?? "",
});

async function run() {
  const result = await unkey.analytics.getVerifications({
    query:
      "SELECT COUNT(*) as total FROM key_verifications_v1 WHERE outcome = 'VALID' AND time >= now() - INTERVAL 7 DAY",
  });

  console.log(result);
}

run();

Custom HTTP Client

The TypeScript SDK makes API calls using an HTTPClient that wraps the native Fetch API. This client is a thin wrapper around fetch and provides the ability to attach hooks around the request lifecycle that can be used to modify the request or handle errors and response.

The HTTPClient constructor takes an optional fetcher argument that can be used to integrate a third-party HTTP client or when writing tests to mock out the HTTP client and feed in fixtures.

The following example shows how to use the "beforeRequest" hook to to add a custom header and a timeout to requests and how to use the "requestError" hook to log errors:

import { Unkey } from "@unkey/api";
import { HTTPClient } from "@unkey/api/lib/http";

const httpClient = new HTTPClient({
  // fetcher takes a function that has the same signature as native `fetch`.
  fetcher: (request) => {
    return fetch(request);
  }
});

httpClient.addHook("beforeRequest", (request) => {
  const nextRequest = new Request(request, {
    signal: request.signal || AbortSignal.timeout(5000)
  });

  nextRequest.headers.set("x-custom-header", "custom value");

  return nextRequest;
});

httpClient.addHook("requestError", (error, request) => {
  console.group("Request Error");
  console.log("Reason:", `${error}`);
  console.log("Endpoint:", `${request.method} ${request.url}`);
  console.groupEnd();
});

const sdk = new Unkey({ httpClient: httpClient });

Debugging

You can setup your SDK to emit debug logs for SDK requests and responses.

You can pass a logger that matches console's interface as an SDK option.

[!WARNING] Beware that debug logging will reveal secrets, like API tokens in headers, in log messages printed to a console or files. It's recommended to use this feature only during local development and not in production.

import { Unkey } from "@unkey/api";

const sdk = new Unkey({ debugLogger: console });

You can also enable a default debug logger by setting an environment variable UNKEY_DEBUG to true.

Development

Maturity

This SDK is in beta, and there may be breaking changes between versions without a major version update. Therefore, we recommend pinning usage to a specific package version. This way, you can install the same version each time without breaking changes unless you are intentionally looking for the latest version.

Contributions

While we value open-source contributions to this SDK, this library is generated programmatically. Any manual changes added to internal files will be overwritten on the next generation. We look forward to hearing your feedback. Feel free to open a PR or an issue with a proof of concept and we'll do our best to include it in a future release.

SDK Created by Speakeasy