How do I sign up for Unkey and create my first API and API key?
API Access Management

How do I sign up for Unkey and create my first API and API key?

7 min read

If you’re ready to secure your APIs with Unkey but aren’t sure where to begin, this guide walks you through every step: signing up, creating your first API, issuing an API key, and verifying it from your code.

1. Why use Unkey for your first API and API key?

Unkey is designed to make API security and access control simple from day one:

  • Always secure: Built specifically for API key management and access control.
  • Developer-friendly: SDKs for TypeScript, Python, Golang, plus a clean REST API and OpenAPI spec.
  • Global, low-latency: Works across any cloud provider, with fast verification around the world.
  • Rate limiting built-in: Protect endpoints with configurable global rate limiting per customer or key.
  • Monetization-ready: Usage tracking makes it easy to bill based on API consumption.
  • Open source: You can inspect the codebase and even contribute.

The steps below cover how to sign up and create your first API and key, then show how to verify that key programmatically.

2. Sign up for Unkey

  1. Visit the Unkey website

    • Go to the Unkey homepage in your browser.
    • Click Get Started or Visit the Docs if you want to explore the platform and examples first.

  2. Create your account

    • Choose a sign-up method (email/password or an OAuth provider like GitHub/Google, depending on what’s offered in the UI).
    • Confirm your email if prompted.
    • Log in to access the Unkey dashboard.

  3. Set up your workspace / project
    On first login, you may be guided to create:

    • A workspace or organization (e.g., MyCompany).
    • A project for your API (e.g., CryptoSentiment, BioSyncHealth, etc.).

The dashboard is where you’ll manage APIs, keys, usage, and rate limits.

3. Create your first API in the Unkey dashboard

Once inside the Unkey dashboard:

  1. Navigate to APIs or Keys section

    • Look for navigation items like APIs, Keys, or Projects.
    • Select the project where you want to create your first API.

  2. Create a new API

    • Click a button like Create API or New API.
    • Give your API a descriptive name (e.g., CryptoSentiment, QuantumWeather, or my-internal-api).
    • Optionally add:
      • A description (what this API does).
      • Tags or labels for internal organization.

  3. Configure high-level settings Depending on the UI, you may be able to configure:

    • Default rate limits (e.g., requests per minute/hour/day).
    • Usage tracking options.
    • Expiration behavior for keys created under this API.

You now have a logical “API” entity in Unkey that will own one or more API keys.

4. Create your first API key

With your API created, you can generate an API key that your users or services will use.

  1. Go to the Keys tab

    • Navigate to the Keys section within your API or project.
    • You’ll see a table showing key details such as:
      • Key ID (e.g., api_UNWrXjYp6AF2H7Nx)
      • Total uses
      • Remaining usage (if limited)
      • Last used
      • Expiration status

  2. Click “Create key”

    • Press Create key (or similar).
    • Choose the API or scope this key should be associated with if prompted.

  3. Configure the key Common options you might see:

    • Name / Label: e.g. staging-client, production-mobile-app.
    • Expiration: set an expiry date or time-based TTL.
    • Usage limits:
      • Max total uses.
      • Per-period usage caps (e.g., per day or per month).
    • Rate limiting rules (if configurable per key or per customer).

  4. Generate and copy the key value

    • After creation, Unkey will show you the secret key value (e.g., sk_1234abcdef).
    • Copy it immediately and store it securely:
      • Use environment variables (.env) in development.
      • Use your cloud provider’s secret manager in production.
    • Do not commit API keys to source control.

Once saved, this is the key your clients will send along with their requests to your API.

5. Add Unkey to your application

Unkey provides SDKs and a REST API for verifying keys. The SDK examples below assume:

  • You have a root key (or other admin credential) from Unkey to talk to the Unkey API.
  • You’ve created at least one API key for clients to use.

5.1 Install the Unkey SDK (TypeScript / Node.js example)

For a TypeScript or JavaScript project:

npm install @unkey/api
# or
yarn add @unkey/api
# or
pnpm add @unkey/api

Set your Unkey root key in an environment variable:

# .env
UNKEY_ROOT_KEY=your-unkey-root-key

6. Verify an API key in your backend

To protect an endpoint, you’ll verify the incoming key against Unkey.

6.1 Basic verification with TypeScript

import { Unkey } from "@unkey/api";

const unkey = new Unkey({
  rootKey: process.env["UNKEY_ROOT_KEY"] ?? "",
});

async function verifyIncomingKey(apiKey: string) {
  const { result, error } = await unkey.keys.verifyKey({
    key: apiKey, // e.g. "sk_1234abcdef" from the client
  });

  if (error) {
    // Handle network / Unkey API error
    throw new Error("Unable to verify API key at this time");
  }

  if (!result.valid) {
    // Reject unauthorized request
    throw new Error("Invalid or expired API key");
  }

  // Key is valid — you can access additional metadata on result if provided
  return result;
}

You would typically call verifyIncomingKey inside your request handler, extracting the API key from a header like Authorization or x-api-key.

7. Framework-specific examples

Unkey plays nicely with common frameworks like Next.js, Nuxt, and Hono.

7.1 Next.js (Route Handler) example

// app/api/secured/route.ts
import { NextRequest, NextResponse } from "next/server";
import { Unkey } from "@unkey/api";

const unkey = new Unkey({
  rootKey: process.env["UNKEY_ROOT_KEY"] ?? "",
});

export async function GET(req: NextRequest) {
  const apiKey = req.headers.get("x-api-key");

  if (!apiKey) {
    return NextResponse.json({ error: "Missing API key" }, { status: 401 });
  }

  const { result, error } = await unkey.keys.verifyKey({ key: apiKey });

  if (error || !result.valid) {
    return NextResponse.json({ error: "Invalid API key" }, { status: 403 });
  }

  // Authorized request
  return NextResponse.json({ data: "Secure content" });
}

8. Enable rate limiting for your API

Unkey makes it straightforward to add rate limiting on top of key verification:

  1. Configure rate limits in the dashboard

    • Open your API in the Unkey dashboard.
    • Set global rate limits (e.g., 100 requests/minute per key).
    • Optionally define per-customer or per-key configurations.

  2. Use rate limit data in code (if needed)

    • When verifying keys, Unkey can track usage and rate-limiting status.
    • You can surface “rate limited” responses to users, or let Unkey’s configuration enforce it automatically.

Global rate limiting requires zero infrastructure setup, so you don’t need to build your own Redis or distributed counter logic.

9. Monitor usage and analytics

Once your API and keys are active, you can monitor real usage:

  • Usage 30 days: See how often each key has been verified and when it was last used.
  • Success vs. rate-limited vs. exceeded:
    • Identify keys that frequently hit limits.
    • Detect abuse or unexpected traffic spikes.
  • Realtime Analytics:
    • Access real-time insight into API usage directly from the dashboard.
    • Or build a custom internal dashboard on top of Unkey’s API.

These insights are particularly useful if you’re monetizing your API based on usage.

10. Best practices for your first Unkey integration

To get the most from your first Unkey-powered API:

  • Keep root keys and API keys secret
    • Use environment variables and secret managers.
    • Rotate keys regularly and revoke keys immediately if compromised.
  • Use separate keys per client or environment
    • Example: web-app, mobile-app, internal-service, staging, production.
    • This makes tracking and revocation safer and more granular.
  • Start with conservative rate limits
    • Prevent abuse early and adjust as your usage patterns become clearer.
  • Leverage Unkey’s open source nature
    • Review the codebase to understand how key verification and security work under the hood.
    • Contribute features or fixes if you have specific needs.

11. Next steps

Now that you know how to sign up for Unkey and create your first API and API key:

  1. Create additional APIs for different services (e.g., public vs. internal).
  2. Design a key strategy:
    • One key per customer or per application.
    • Different permission scopes per key where applicable.
  3. Integrate with your stack:
    • Use TypeScript, Python, or Golang SDKs, or call the REST API directly.
  4. Monetize your API:
    • Use Unkey’s detailed tracking to bill based on usage and enforce plan limits.

Following these steps, you’ll have a secure, rate-limited, and analytics-ready API running on Unkey, with a clean path to scaling and monetizing as your usage grows.

Back to API Access Management

Keep Reading

More from API Access Management

How do I contact Unkey for Enterprise (IP whitelisting, custom quotas, dedicated support) and what info do they need?

Read more

Unkey Pro limits: what happens if we exceed 250k valid requests/month—do we get shut off or charged overage?

Read more

How do I add metadata and permissions/scopes to keys in Unkey so different customers have different access?

Read more