Unkey — Open-Source API Key Management Platform

Introduction

Unkey is an open-source platform for managing API keys at scale. It provides a fast key verification API, built-in rate limiting, usage tracking, and temporary key expiration so that developers building API products can focus on their core logic rather than building key infrastructure from scratch.

What Unkey Does

• Creates API keys with optional metadata, expiration dates, and rate limit configurations
• Verifies keys in under 10 milliseconds using a globally distributed edge network
• Enforces rate limits per key with sliding window and fixed window algorithms
• Tracks key usage analytics including verification counts, rate limit hits, and active keys
• Supports temporary keys that automatically expire after a set duration or number of uses

Architecture Overview

Unkey is built as a Next.js monorepo with a Go-based API service for high-performance key operations. Key data is stored in PlanetScale (MySQL-compatible) with a Cloudflare Workers layer for edge verification. The verification path uses a tiered cache: edge cache for hot keys, regional cache for warm lookups, and origin database as the source of truth. This architecture delivers consistent sub-10ms verification globally.

Self-Hosting & Configuration

• Clone the monorepo and run locally with pnpm for development; requires Node.js 18+ and Go
• Configure database connection via DATABASE_URL environment variable (MySQL-compatible)
• Set UNKEY_ROOT_KEY for bootstrapping initial API access and workspace creation
• Deploy the API service independently for production workloads behind a load balancer
• Docker Compose setup available for running all services locally with dependencies

Key Features

• Sub-10ms key verification at the edge with multi-tier caching for global distribution
• Built-in rate limiting configurable per key with remaining quota returned in each response
• Temporary keys with expiration by time or by number of remaining verifications
• Key metadata for attaching custom JSON data (user IDs, plan tiers, permissions) to each key
• Usage analytics dashboard showing verification volume, error rates, and active key counts

Comparison with Similar Tools

• Auth0 M2M tokens — Machine-to-machine OAuth tokens; heavier setup, no usage-based limits
• AWS API Gateway API keys — Tied to AWS infrastructure; no cross-cloud portability
• Kong — Full API gateway with key auth as one plugin; much larger operational surface
• Zuplo — API gateway with built-in key management; SaaS only, not self-hostable
• Custom JWT-based auth — Requires building verification, rotation, and rate limiting yourself

FAQ

Q: How fast is key verification? A: Unkey verifies keys in under 10 milliseconds globally by using edge caching and a tiered lookup strategy that avoids round-trips to the origin database for hot keys.

Q: Can I attach custom data to API keys? A: Yes. Each key supports a metadata field where you can store arbitrary JSON such as user IDs, plan names, permission scopes, or any context your application needs.

Q: How do temporary keys work? A: You can set a key to expire after a specific timestamp or after a fixed number of successful verifications. Once the limit is reached, Unkey automatically rejects further requests with that key.

Q: Does Unkey handle billing? A: Unkey tracks usage per key, which you can use to build usage-based billing. It does not process payments directly but provides the verification count data needed to calculate charges.

Sources

• https://github.com/unkeyed/unkey
• https://unkey.dev/docs/