DEV Community

Alex Spinov
Alex Spinov

Posted on

Unkey Has a Free API Key Management API for SaaS Developers

#unkey #api #saas #security

Unkey provides API key management as a service — create, validate, rate limit, and revoke API keys with a simple REST API. No more building auth middleware from scratch.

Create an API Key 

const response = await fetch('https://api.unkey.dev/v1/keys.createKey', {
  method: 'POST',
  headers: {
    'Authorization': 'Bearer unkey_root_key',
    'Content-Type': 'application/json'
  },
  body: JSON.stringify({
    apiId: 'api_123',
    prefix: 'sk',
    ownerId: 'user_456',
    meta: { plan: 'pro', team: 'engineering' },
    ratelimit: { type: 'fast', limit: 100, refillRate: 10, refillInterval: 1000 },
    expires: Date.now() + 30 * 24 * 60 * 60 * 1000 // 30 days
  })
});

const { key } = await response.json();
// key = "sk_1234567890abcdef"
Enter fullscreen mode Exit fullscreen mode

Validate a Key 

const validation = await fetch('https://api.unkey.dev/v1/keys.verifyKey', {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({ key: 'sk_1234567890abcdef' })
});

const { valid, ownerId, meta, ratelimit } = await validation.json();

if (!valid) {
  return new Response('Unauthorized', { status: 401 });
}
// valid = true, ownerId = "user_456", meta = { plan: "pro" }
Enter fullscreen mode Exit fullscreen mode

Express Middleware 

import { verifyKey } from '@unkey/api';

async function authMiddleware(req, res, next) {
  const key = req.headers['x-api-key'];
  if (!key) return res.status(401).json({ error: 'Missing API key' });

  const { result, error } = await verifyKey(key);

  if (error || !result.valid) {
    return res.status(401).json({ error: 'Invalid API key' });
  }

  if (result.ratelimit?.remaining === 0) {
    return res.status(429).json({ error: 'Rate limited' });
  }

  req.apiKeyOwner = result.ownerId;
  req.apiKeyMeta = result.meta;
  next();
}
Enter fullscreen mode Exit fullscreen mode

Key Management 

# List keys
curl https://api.unkey.dev/v1/apis.listKeys?apiId=api_123 \
  -H "Authorization: Bearer root_key"

# Revoke key
curl -X POST https://api.unkey.dev/v1/keys.deleteKey \
  -H "Authorization: Bearer root_key" \
  -d '{"keyId":"key_789"}'

# Update remaining uses
curl -X POST https://api.unkey.dev/v1/keys.updateKey \
  -H "Authorization: Bearer root_key" \
  -d '{"keyId":"key_789","remaining":1000}'
Enter fullscreen mode Exit fullscreen mode

Why This Matters

  • No more DIY auth: API key management in minutes
  • Built-in rate limiting: Per-key rate limits out of the box
  • Usage tracking: Know who uses what and how much
  • Free tier: 2,500 verifications/month

Need custom API management tools or SaaS infrastructure? I build developer tools. Check out my web scraping actors on Apify or reach out at spinov001@gmail.com for custom solutions.

Top comments (0)