Skip to main content
Security is foundational to Unkey. We handle API keys for your production systems, so we take this responsibility seriously.

Key security principles

Keys are never stored in plaintext

We hash your API keys before storage. Even if our database were compromised, attackers couldn’t recover the original keys.

You control the lifecycle

Create, rotate, and revoke keys instantly. Changes propagate globally within seconds.

Minimal permissions by default

Root keys use explicit permissions. Grant only what’s needed for each use case.

Audit everything

Every key operation is logged. Know who did what, when, from where.

How API key storage works

When you create an API key through Unkey:
1

Key generation

We generate a cryptographically random key (e.g., sk_live_abc123xyz...)
2

Key returned to you (once)

The plaintext key is returned in the API response. This is the only time you’ll see it.
3

Hash stored

We compute a SHA-256 hash of the key and store only the hash in our database.
4

Verification

When a key is verified, we hash the provided key and compare it to the stored hash. Match = valid.
Your key:    sk_live_abc123xyz789...
Stored:      a3f2b8c9d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1
                     ↑ SHA-256 hash (cannot be reversed)
This is the same approach used by GitHub, Stripe, and other security-conscious platforms. Even with full database access, an attacker cannot recover your original keys.

Root keys

Root keys authenticate your requests to the Unkey API itself. They’re how you create, manage, and verify API keys programmatically. Best practices:
  • Use separate root keys for different environments (dev, staging, production)
  • Grant minimal permissions — only what each service needs
  • Rotate root keys periodically
  • Never commit root keys to version control
Learn more about root keys →

Infrastructure security

LayerProtection
TransportAll API traffic uses TLS 1.3. No plaintext connections accepted.
InfrastructureRequests are processed across our globally distributed infrastructure, with DDoS protection.
DatabaseEncrypted at rest and in transit. Regular backups with point-in-time recovery.
AccessInternal access requires multi-factor authentication and is logged.

Compliance & certifications

We’re actively working toward SOC 2 Type II certification. If you have specific compliance requirements, contact us to discuss.

Responsible disclosure

Found a security issue? We appreciate responsible disclosure.
  • Email: security@unkey.dev
  • Please include steps to reproduce
  • We’ll acknowledge within 48 hours

More security features

Root Key Permissions

Fine-grained access control for your root keys

IP Whitelisting

Restrict key verification to specific IP ranges

Key Recovery

What to do if a key is compromised

GitHub Scanning

Automatic detection of leaked keys in public repos

Delete Protection

Prevent accidental deletion of critical keys
Last modified on February 14, 2026