Skip to main content
Unkey Deploy is currently in private beta. To get access, reach out on Discord or email support@unkey.com.
The API key authentication policy verifies Unkey API keys before requests reach your app. On success, it produces a Principal containing the key’s identity, metadata, roles, and permissions.

Configure API key authentication

To enable API key authentication for your deployment:
  1. Navigate to your project’s Sentinel Policies page from the sidebar.
  2. Click Add policy.
  3. Select Key Auth as the policy type.
  4. Choose one or more keyspaces to verify against.
  5. Optionally configure match conditions, a custom key location, or a permission query.
  6. Select which environments (production, preview, or both) to enable the policy for.
  7. Save the policy.
Once configured, the Sentinel verifies every incoming request that matches the policy’s conditions against the selected keyspaces. Requests without a valid API key receive a 401 response and never reach your app.

How verification works

The Sentinel extracts the API key from the Authorization header (as a Bearer token) and verifies it against your configured keyspaces. The following checks run in order:
  1. Existence. The key must belong to one of the configured keyspaces.
  2. Status. The key must not be disabled or revoked.
  3. Expiration. The key must not have passed its expiration timestamp.
  4. Credits. If remaining credits are configured, at least one credit must be available. Verification deducts one credit.
  5. Rate limits. All rate limit configurations attached to the key are evaluated. See rate limiting for details on response headers and behavior.
  6. Permissions. If a permission query is configured, the key must satisfy it.
If all checks pass, the Sentinel produces a Principal and forwards the request with the X-Unkey-Principal header. See the API key source for the full list of fields your app receives, including roles, permissions, and key metadata.

Key location

By default, the Sentinel extracts the API key from the Authorization header as a Bearer token. You can override this by adding a custom key location when creating or editing a policy:
LocationDescriptionExample
BearerExtract from the Authorization: Bearer <key> header (default)Authorization: Bearer sk_123
HeaderExtract from a custom header, with an optional prefix to stripX-API-Key: sk_123
Query paramExtract from a URL query parameter?api_key=sk_123

Permission query

You can enforce Unkey RBAC permissions directly in the Sentinel by setting a permission query on a policy. If the authenticated key lacks the required permissions, the request receives a 403 response before reaching your app. Permission queries support AND and OR operators:
  • api.read AND api.write requires both permissions
  • api.read OR api.write requires either permission

Error responses

ScenarioStatusDescription
No credentials provided401The request is missing an API key
Invalid, disabled, or expired key401The API key failed verification
Insufficient permissions403The key lacks required permissions
Rate limit exceeded429The key’s rate limit was exceeded
Last modified on April 16, 2026