Skip to content

Application Development

Unkey
API integration

Ship Application Development features without building the integration. Full Unkey API access via Proxy and 40+ MCP-ready tools for AI agents — extend models and mappings to fit your product.

Talk to us
Unkey

Use Cases

Why integrate with Unkey

Common scenarios for SaaS companies building Unkey integrations for their customers.

01

Automate usage-based billing on API consumption

Billing and monetization platforms can query verification analytics from their customers' Unkey workspaces to construct usage-based invoices, and disable keys instantly when payments fail. This removes the need to build a custom metering pipeline for every customer.

02

Sync tenants and rate limits from your Auth/IdP

Identity providers and B2B auth platforms can mirror their organization model into Unkey by provisioning identities and pushing rate limit overrides when plans change. This keeps edge-level gateway policy perfectly aligned with the customer's subscription state.

03

Embed API key management inside developer docs

Documentation platforms and developer portals can mint sandboxed keys on demand and drop a hosted Unkey management portal directly into their UI. End-developers get interactive 'Try It' functionality without the docs vendor building a full key management stack.

04

Power prepaid credit and token top-ups for AI products

AI platforms and API monetization tools can push credit balances directly onto their customers' Unkey keys after a top-up purchase. Credit enforcement happens at the edge, so the SaaS product avoids adding latency-heavy quota checks to every request.

05

Deliver RBAC and permission provisioning to end customers

Platforms managing developer workflows can programmatically create roles, permissions, and assign them to keys inside their users' Unkey accounts. This lets customers ship fine-grained access control on their APIs without building a permission engine.

What You Can Build

Ship these features with Truto + Unkey

Concrete product features your team can ship faster by leveraging Truto’s Unkey integration instead of building from scratch.

01

SQL-powered usage dashboards

Run raw SELECT queries against Unkey's verification analytics to render request volumes, latency, and rejection breakdowns for each of your customers inside your product.

02

Automatic key suspension on billing events

Toggle `enabled: false` on specific keys the moment an invoice fails, a trial expires, or a customer is offboarded — enforced globally at the edge.

03

Plan-tier rate limit sync

Push rate limit overrides to specific identities whenever a customer upgrades, downgrades, or hits an abuse threshold in your SaaS.

04

Credit top-up and metering

Increment or decrement credit balances on individual keys in response to purchases, refunds, or manual grants from your admin panel.

05

Embedded key management portal

Generate short-lived Unkey portal sessions and redirect end-users into a white-labeled UI for creating, rotating, and revoking their keys — no dashboard build required.

06

Tenant-to-identity provisioning

Map your internal organization or workspace IDs to Unkey identities via `externalId`, so all keys under a tenant share rate limits and quotas automatically.

SuperAI

Unkey AI agent tools

Comprehensive AI agent toolset with fine-grained control. Integrates with MCP clients like Cursor and Claude, or frameworks like LangChain.

unkey_analytics_get_verifications

Execute a SELECT SQL query against key verification analytics in Unkey. Returns a meta object with requestId and a data array of verification rows whose fields match your SQL SELECT clause. Only SELECT queries are allowed. Required: query.

create_a_unkey_api

Create a new API namespace in Unkey. Returns the created namespace's api_id and request metadata. Required: name.

delete_a_unkey_api_by_id

Delete an Unkey API namespace by id. Returns request metadata and an empty data object on success. Required: id.

get_single_unkey_api_by_id

Get an Unkey API namespace by id. Returns the API namespace including id and name. Required: id.

unkey_apis_list_keys

List API keys for an Unkey API namespace. Returns: keyId, start, enabled, name, meta, createdAt, updatedAt, lastUsedAt, expires, permissions, roles, credits, identity, plaintext, ratelimits. Required: apiId.

create_a_unkey_deployment

Create a new deployment in Unkey from a pre-built Docker image. Returns the deployment id. Internal endpoint; not recommended for production use. Required: project, app, branch, environmentSlug, dockerImage.

get_single_unkey_deployment_by_id

Get deployment information in Unkey including status, error messages, and deployment steps. Returns: meta, data, id. Internal endpoint; not recommended for production use. Required: id.

create_a_unkey_identity

Create an identity in Unkey to group API keys under a single entity with shared metadata and rate limits. Returns the created identity with id, externalId, meta, and ratelimits, plus request metadata. Required: externalId.

delete_a_unkey_identity_by_id

Permanently delete an identity in Unkey. This operation cannot be undone. Returns only the request metadata (requestId). Required: id.

get_single_unkey_identity_by_id

Get an identity in Unkey by id. Returns the identity's id, externalId, meta, and ratelimits. Required: id.

list_all_unkey_identities

List identities in Unkey. Returns identities, a cursor, and a total count. Max 100 per page, defaults to 100.

update_a_unkey_identity_by_id

Update an identity's metadata and rate limits in Unkey. Only specified fields are modified. Returns the updated identity's id, externalId, meta, and ratelimits. Required: id.

unkey_keys_add_permissions

Add permissions to an Unkey key without replacing existing ones. Returns: id, name, slug, description. Required: keyId, permissions.

unkey_keys_add_roles

Add roles to an Unkey key without replacing existing roles or permissions. Returns: id, name, description, permissions. Required: keyId, roles.

create_a_unkey_key

Create a new Unkey API key. Returns: meta, data. The plaintext key is returned only once. Required: apiId.

delete_a_unkey_key_by_id

Delete an Unkey key by keyId. Returns: meta, data. Defaults to soft deletion. Required: id.

get_single_unkey_key_by_id

Get details of an Unkey key by id. Returns: meta, data. Required: id.

unkey_keys_get_by_hash

Look up an Unkey API key by its full key string. Returns meta and data; data contains the key record with keyId, enabled, name, permissions, roles, and credits. Required: key.

unkey_keys_migrate

Migrate pre-hashed API keys into an Unkey API. Returns meta and data; data contains the migration outcome with migrated entries (hash + keyId) and any failed hashes. Required: migrationId, apiId, keys.

unkey_keys_remove_permissions

Remove direct permissions from an Unkey key without affecting its roles. Returns meta and data; data lists the remaining direct permissions with id, name, slug, and description. Changes take up to 30 seconds to propagate. Required: keyId, permissions.

unkey_keys_remove_roles

Remove roles from an Unkey key without affecting its direct permissions. Returns meta and data; data lists the remaining roles with id, name, description, and permissions. Changes take up to 30 seconds to propagate. Required: keyId, roles.

unkey_keys_reroll

Generate a new Unkey API key while preserving an existing key's configuration. Returns meta and data; data contains the new keyId and key. Required: keyId, expiration.

unkey_keys_set_permissions

Replace all direct permissions on an Unkey key in one atomic operation. Returns meta and data: the updated permission list in data, including each permission's id, name, slug, and description. Changes may take up to 30 seconds to propagate across all edge regions. Required: keyId, permissions.

unkey_keys_set_roles

Replace all roles on an Unkey key in one atomic operation. Returns meta and data: the updated role list in data, including each role's id, name, description, and nested permissions. Changes may take up to 30 seconds to propagate across all edge regions. Required: keyId, roles.

unkey_keys_update_credits

Update a Unkey key's credit balance. Returns meta and data: the updated credit balance in data, including remaining and refill settings. Provide value when incrementing or decrementing; set value to null for unlimited credits. Required: keyId, operation.

update_a_unkey_key_by_id

Update an existing Unkey API key's settings. Supports partial updates such as name, metadata, expiration, credits, rate limits, roles, permissions, and enabled status. Returns meta and data: an empty data object confirming success. Changes take effect immediately but may take up to 30 seconds to propagate to all edge regions. Required: id.

unkey_keys_verify

Verify an Unkey API key's validity, permissions, rate limits, and usage quota for request authentication. Returns meta and data: the verification result including valid, keyId, name, meta, expires, credits, enabled, permissions, roles, identity, and ratelimits. Always returns HTTP 200; check the valid field to determine authorization. Required: key.

unkey_keys_whoami

Get information about an Unkey API key by its full key string. Returns the key object under `data` including keyId, start, enabled, createdAt, permissions, roles, credits, and ratelimits. Required: key.

list_all_unkey_liveness

Check the health status of the Unkey API. Returns the service health object including requestId, message, and response metadata. No authentication required.

create_a_unkey_permission

Create a new permission in Unkey. Returns the response envelope with meta and data containing permissionId. Required: name, slug.

delete_a_unkey_permission_by_id

Delete a permission in Unkey by permission id or slug. Returns the response envelope with meta and an empty data object on success. Required: id.

get_single_unkey_permission_by_id

Get a permission in Unkey by id or slug. Returns the response envelope with meta and data containing id, name, slug, and description. Required: id.

list_all_unkey_permissions

List all permissions in your Unkey workspace. Returns the response envelope with meta, an array of permission objects (id, name, slug, description), and pagination cursors. Optional: cursor, limit.

update_a_unkey_permission_by_id

Update a permission in unkey. Returns: meta, data, name, email, plan. Required: id.

create_a_unkey_role

Create a new role in Unkey. Returns: meta, data. Required: name.

delete_a_unkey_role_by_id

Delete a role in Unkey by role id or name. Returns meta and an empty data object. Required: id.

get_single_unkey_role_by_id

Get a role in Unkey by role id or name. Returns: meta, data. Required: id.

list_all_unkey_roles

List all roles in your Unkey workspace, including their assigned permissions. Returns: id, name, description, permissions.

update_a_unkey_role_by_id

Update an existing RBAC role in Unkey. Returns the updated role including id, name, description, and permissions. Required: id. Provide at least one of name, description, or permissions to change.

unkey_ratelimit_limit

Apply a single rate limit check in Unkey for an identifier within a namespace. Returns the rate limit result in data, including limit, remaining, reset, and success, plus request metadata in meta. Cost defaults to 1. Required: namespace, duration, identifier, limit.

unkey_ratelimit_multi_limit

Apply multiple rate limit checks in a single Unkey request. Returns the combined result in data, including a passed flag and per-check limits (limit, remaining, reset, success), plus request metadata in meta.

unkey_ratelimit_set_override

Create or update a custom Unkey rate limit override for an identifier pattern. Returns the override_id in data and request metadata in meta. Required: namespace, duration, identifier, limit.

unkey_ratelimit_get_override

Retrieve an existing Unkey rate limit override by namespace and identifier pattern. Returns the override configuration in data, including override_id, duration, identifier, and limit, plus request metadata in meta. Required: namespace, identifier.

unkey_ratelimit_delete_override

Delete an Unkey rate limit override by namespace and identifier pattern. Returns meta and an empty data object on success. Required: namespace, identifier.

unkey_ratelimit_list_overrides

List rate limit overrides in an Unkey namespace. Returns: overrideId, duration, identifier, limit. Required: namespace.

unkey_portal_create_session

Create a short-lived Unkey Portal session for an end user. Returns the session id, redirect URL, and request metadata. Requires slug, externalId, and permissions.

unkey_portal_exchange_session

Exchange a short-lived Unkey Portal session token for a long-lived browser session token. Returns the new token, its expiration timestamp, and request metadata. Requires sessionId.

Why Truto

Why use Truto’s MCP server for Unkey

Other MCP servers give you a static tool list for one app. Truto gives you a managed, multi-tenant MCP infrastructure across 550+ integrations.

01

Auto-generated, always up to date

Tools are dynamically generated from curated documentation — not hand-coded. As integrations evolve, tools stay current without manual maintenance.

02

Fine-grained access control

Scope each MCP server to read-only, write-only, specific methods, or tagged tool groups. Expose only what your AI agent needs — nothing more.

03

Multi-tenant by design

Each MCP server is scoped to a single connected account with its own credentials. The URL itself is the auth token — no shared secrets, no credential leaking across tenants.

04

Works with every MCP client

Standard JSON-RPC 2.0 protocol. Paste the URL into Claude, ChatGPT, Cursor, or any MCP-compatible agent framework — tools are discovered automatically.

05

Built-in auth, rate limits, and error handling

Tool calls execute through Truto’s proxy layer with automatic OAuth refresh, rate-limit handling, and normalized error responses. No raw API plumbing in your agent.

06

Expiring and auditable servers

Create time-limited MCP servers for contractors or automated workflows. Optional dual-auth requires both the URL and a Truto API token for high-security environments.

How It Works

From zero to integrated

Go live with Unkey in under an hour. No boilerplate, no maintenance burden.

01

Link your customer’s Unkey account

Use Truto’s frontend SDK to connect your customer’s Unkey account. We handle all OAuth and API key flows — you don’t need to create the OAuth app.

02

We handle authentication

Don’t spend time refreshing access tokens or figuring out secure storage. We handle it and inject credentials into every API request.

03

Call our API, we call Unkey

Truto’s Proxy API is a 1-to-1 mapping of the Unkey API. You call us, we call Unkey, and pass the response back in the same cycle.

04

Unified response format

Every response follows a single format across all integrations. We translate Unkey’s pagination into unified cursor-based pagination. Data is always in the result attribute.

FAQs

Common questions about Unkey on Truto

Authentication, rate limits, data freshness, and everything else you need to know before you integrate.

How does authentication with a user's Unkey workspace work through Truto?

Unkey uses root API keys scoped to a workspace. Truto handles secure storage and injection of these credentials on every request, so your product only needs to trigger the integration action — no token management on your side.

Can we run analytics queries or is it limited to CRUD operations?

Yes. The `unkey_analytics_get_verifications` tool accepts SQL SELECT queries against verification data, letting you aggregate request counts, latency, and rejection reasons on demand without ingesting webhooks.

How do we manage rate limits per customer or tenant?

Create an Unkey identity for each tenant using their internal ID as the `externalId`, then apply rate limit overrides via `unkey_ratelimit_set_override`. All keys under that identity share the same enforced limits at the edge.

Can end-users manage their keys without us building a UI?

Yes. Use `unkey_portal_create_session` to mint a short-lived session and redirect the user into Unkey's hosted portal for key creation, rotation, and revocation.

How do we handle prepaid credits or quota top-ups?

Call `unkey_keys_update_credits` with an increment or decrement value against a specific key. Unkey enforces the balance at the edge and rejects requests automatically when credits are depleted.

What happens if we need to disable a customer's access immediately?

Call `update_a_unkey_key_by_id` with `enabled: false` on the target keys. The change propagates across Unkey's edge network so subsequent verifications are rejected globally within milliseconds.

Unkey

Get Unkey integrated into your app

Our team understands what it takes to make a Unkey integration successful. A short, crisp 30 minute call with folks who understand the problem.