Unkey vs self-managed Redis: migration plan if our API keys are in Postgres and rate limits are Redis-based today
API Access Management

Unkey vs self-managed Redis: migration plan if our API keys are in Postgres and rate limits are Redis-based today

12 min read

Many teams reach a point where managing their own Redis and Postgres setup for API keys and rate limiting becomes a burden. You want high performance and reliability, but without babysitting infrastructure, fighting edge cases, or rewriting your entire auth and rate-limiting layer. That’s where Unkey comes in: it gives you a hosted, global, low-latency platform for keys, rate limiting, and access control—without forcing you to throw away what you already have.

This guide compares Unkey vs self-managed Redis in this context and lays out a practical migration plan if your API keys currently live in Postgres and your rate limits are Redis-based.

Why teams outgrow self‑managed Redis for rate limiting

Self-managed Redis is often the default choice for rate limiting:

  • It’s fast and widely known.
  • It supports counters and TTLs.
  • It’s easy to prototype with.

But in production, you typically run into:

  • Operational overhead

    • Managing clusters, failover, backups, and upgrades.
    • Monitoring memory usage, evictions, and connection limits.

  • Global consistency issues

    • Multi-region or multi-cloud setups require complex replication and sharding.
    • Ensuring consistent rate limits per user across regions is non-trivial.

  • Application-level complexity

    • Implementing advanced patterns (per-customer limits, dynamic plans, bursts, cooldowns) quickly turns into a mess of scripts and Lua code.
    • Adding usage-based billing usually requires a separate tracking system.

  • Security and compliance gaps

    • Redis is not built as an API security platform; you must layer on controls, access policies, and auditability yourself.

If you’re at this stage, switching rate limiting and API key management to a dedicated platform like Unkey can free your team to focus on your core product instead of infrastructure.

What Unkey provides beyond Redis

Unkey is designed as a developer-friendly platform to secure and manage API access globally, not just a key–value store. Compared to self-managed Redis, Unkey gives you:

1. Global, low-latency infrastructure

Unkey is optimized for global performance:

  • Global low latency regardless of which cloud providers or regions you use.
  • Multi-cloud support, so it “just works” with any cloud provider you’ve chosen, without you having to run your own cross-region Redis clusters.

This matters when you’re currently limited by a single-region Redis deployment or complex replication that still produces inconsistent limits and higher p99 latencies.

2. Built-in, configurable rate limiting

Instead of rolling your own scripts and counters, Unkey offers:

  • Global rate limiting with zero setup

    • Rate limiting is enabled out of the box.
    • No need to configure distributed locks, scripts, or replication.

  • Custom configuration per customer or per key

    • Define rate limits per plan (e.g., “Free”, “Pro”, “Enterprise”).
    • Override limits per key, per user, or per tenant as needed.

  • Usage limits per key

    • Create keys with a fixed usage allowance and optional periodic refills.
    • Use this to implement usage-based billing with credits or quotas.

Redis can handle counters, but you must design everything else yourself (throttling semantics, limit inheritance, per-plan configuration, etc.). Unkey centralizes this logic into a clean API and dashboard.

3. First-class API key management

If your API keys are currently rows in Postgres, you likely have to handle:

  • Generation and secure storage.
  • Rotation and expiration.
  • Revocation and auditing.
  • Propagation across services and regions.

Unkey gives you:

  • Secure, scalable key storage and management from day one.
  • Automatic key expiration, lowering the risk of long-lived credentials being abused.
  • Easy key creation, rotation, and revocation via API or dashboard.
  • A public OpenAPI spec and SDKs (TypeScript, Python, Go, cURL) so you can integrate quickly.

Instead of maintaining your own keys table and custom code around it, you can offload this to a platform designed specifically for it.

4. Role-based access control and permissions

As your system grows, simple “key exists / key doesn’t exist” checks are not enough. You may need:

  • Different privileges for different API keys or tenants.
  • Per-feature entitlements.
  • Fine-grained permissions for internal teams.

Unkey supports:

  • Role-based access control (RBAC) and/or permission-based control.
  • Granular access privileges with flexible role/permission models.
  • Global propagation of permission changes in seconds, so revoking or updating access doesn’t depend on cache invalidation or slow syncs.

Redis alone cannot provide this; you’d need a separate authorization layer. With Unkey, it’s built into the platform.

5. Usage tracking and monetization

If you want to bill based on API usage, you need accurate, trustworthy metrics.

Unkey:

  • Tracks all user actions in your APIs at the key level.
  • Makes it straightforward to bill users based on their usage (e.g., calls per month, per feature, per endpoint).
  • Works nicely with usage limits per key, so billing rules and enforcement are aligned.

Redis counters can track usage, but turning those into a reliable billing pipeline is a separate project. Unkey gives you a monetization-ready foundation out of the box.

6. Developer-friendly integrations

Unkey is API-first and UI-first:

  • You can manage everything via its API or through a dashboard that’s friendly for both developers and non-technical teammates.
  • Official SDKs for TypeScript, Python, Golang, and more.
  • Works smoothly with popular frameworks such as Next.js, Nuxt, Hono.
  • Integrates with modern deployment platforms, including an official Vercel integration that streamlines development-to-deployment.

This is a different ergonomics level than managing raw Redis connections and DIY rate limiting logic.

Tradeoffs: Unkey vs self-managed Redis

When deciding whether to move off self-managed Redis, weigh the tradeoffs:

When self‑managed Redis still makes sense

  • You only need very simple rate limiting (e.g., one global limit, no per-customer variation).
  • Your infrastructure is single-region and unlikely to change soon.
  • You have in-house expertise to maintain Redis clusters and don’t need built-in RBAC or monetization.
  • You’re comfortable building your own logging, analytics, billing, and permission layers on top.

When Unkey is the better fit

  • You want global low latency without running your own multi-region Redis.
  • You need advanced per-customer or per-key rate limits.
  • API key lifecycle management is currently spread across different services and difficult to audit.
  • You plan to roll out role-based access control and usage-based billing.
  • You want proactive protection and a platform focused on API security rather than generic data storage.

If you’re in the latter camp, the question becomes: how do you migrate from Postgres + Redis to Unkey without breaking your API or disrupting customers?

Migration strategy overview

You can migrate in three phases:

  1. Prepare: Integrate Unkey alongside your current system.
  2. Dual-run: Shadow traffic and validate behavior.
  3. Cutover & cleanup: Switch production to Unkey and retire old paths.

Below is a step-by-step plan tailored to a setup where:

  • API keys live in Postgres.
  • Rate limits are enforced with Redis.

Phase 1: Preparation and parallel integration

1. Model your existing keys and limits in Unkey

Start by mapping what you have today:

  • Key metadata in Postgres:

    • Owner (user, team, tenant)
    • Status (active, revoked)
    • Scopes or capabilities
    • Created/updated timestamps
    • Expiration, if any

  • Rate limit rules in Redis:

    • Per-key or per-user counters and time windows
    • Plan-based limits (e.g., free vs paid tiers)
    • Any special overrides

Translate these into Unkey constructs:

  • Keys → Unkey API keys with equivalent metadata.
  • Plans/tiers → Use Unkey’s rate limiting configuration and/or role/permission system to represent different plans.
  • Overrides → Configure per-key or per-customer limits where needed.

You can do this via:

  • Unkey’s dashboard for initial testing and prototyping.
  • Unkey’s API for bulk configuration or automated migrations.

2. Integrate Unkey’s SDK/API into a non-critical path

Before touching your core auth pipeline:

  • Add Unkey’s SDK or REST client to your codebase.
  • Create a small internal endpoint or test harness that:
    • Validates a test key via Unkey.
    • Applies a simple rate limit (e.g., 10 requests/minute).

Use this to verify:

  • The environment is set up correctly (e.g., UNKEY_ROOT_KEY configured).
  • You can create keys, verify them, and see rate limiting responses.
  • Logs and metrics flow where you need them.

3. Decide on key migration strategy: “big bang” vs rolling

You have two main options for moving keys from Postgres to Unkey:

  • Big bang migration

    • Export all keys from Postgres.
    • Import them into Unkey (via scripts / Unkey API).
    • Update your app to validate keys with Unkey only.

  • Rolling (incremental) migration

    • For new keys, create them directly in Unkey (and optionally mirror a reference in Postgres).
    • For existing keys, migrate them gradually:
      • On first use, check if they exist in Unkey; if not, create the key there.
      • After a certain period, most active keys will be migrated; you can then do a final one-time export for remaining keys.

The rolling approach often minimizes risk, as it piggybacks on real traffic instead of migrating inactive keys that may never be used again.

Phase 2: Dual-run (shadowing) with Redis and Unkey

The dual-run phase ensures behavior parity between your current stack and Unkey before cutting over.

4. Validate key checks in parallel

For each incoming request:

  1. Primary: Continue validating keys using your current Postgres logic.
  2. Shadow: In parallel (non-blocking), validate the same key with Unkey and log the result.

You can:

  • Log mismatches (e.g., Postgres says key is valid but Unkey says no key; Unkey’s expiration differs, etc.).
  • Use this data to refine your migration scripts and PoC configuration.

Once you’re confident in parity, you can flip the priority:

  • Primary: Validate keys with Unkey.
  • Fallback: If key is not found in Unkey, fall back to Postgres (and optionally create the key in Unkey on-the-fly).

5. Dual-run rate limiting: Redis as source of truth, Unkey as observer

Similarly, shadow your rate limiting:

  1. Primary: Enforce limits using Redis (your current production system).
  2. Shadow: For the same requests, call Unkey’s rate limiting and log the responses, but do not enforce them yet.

Use logs to compare:

  • Does Unkey block when Redis allows?
  • Are window sizes and thresholds equivalent?
  • Are per-customer overrides applied correctly?

Adjust Unkey’s configuration until:

  • Differences are understood and acceptable, or
  • You’ve intentionally updated your rate limiting policies to be stricter or more lenient via Unkey.

Phase 3: Cutover from Redis to Unkey

Once validation looks good, you can move enforcement from Redis to Unkey.

6. Switch key validation to Unkey as source of truth

Make Unkey your canonical source for API key validation:

  • All new keys are created in Unkey only.
  • For each incoming request, check the key with Unkey.
  • Remove Postgres key validation logic from the critical path, or keep a “read-only” backup for a short decommissioning period.

During this phase:

  • Monitor Unkey’s dashboards and logs for errors and performance.
  • Confirm that your fallbacks (if any) are rarely used or not used at all.

7. Switch rate limiting enforcement to Unkey

Next, move rate limiting enforcement:

  1. Primary: Enforce limits using Unkey’s global rate limiting.
  2. Shadow: Optionally keep Redis limits running in shadow mode to detect unexpected spikes or misconfigurations.

Key benefits at this stage:

  • You no longer need to manage Redis for rate limiting.
  • You gain global consistency without complex replication.

8. Gradually retire Redis-based rate limiting

After a stable period:

  • Remove Redis calls from the request path related to rate limiting.
  • Decommission rate limiting keys and scripts from Redis.
  • Optionally downsize or retire Redis clusters if they were dedicated to this purpose.

If Redis is still used for other purposes, you can scale it down or simplify its architecture now that rate limiting isn’t a requirement.

Handling edge cases and compatibility issues

During migration, keep an eye on these common edge cases:

Different limit semantics

Your current implementation may use:

  • Sliding windows vs fixed windows.
  • Burst allowances vs strict limits.
  • Per-endpoint vs per-key limits.

When configuring Unkey:

  • Match these semantics where necessary.
  • Document intentional behavior changes (e.g., aligning all endpoints to a single unified per-key limit).

Legacy or compromised keys

Migration is a good time to:

  • Expire legacy keys that are no longer used.
  • Rotate keys that may have been compromised.
  • Implement automatic key expiration in Unkey to prevent future accumulation of never-expiring keys.

Tenant-level vs user-level limits

If you have multi-tenant behavior:

  • Use Unkey’s per-customer configuration to set limits per tenant, and per-user within the tenant if required.
  • Keep your tenant IDs and user IDs as first-class fields so Unkey can apply the right policies.

Operational and security benefits after migration

Once you’ve migrated from Postgres + self-managed Redis to Unkey, you gain:

  • Simplified infrastructure

    • No more hand-maintained Redis clusters for rate limiting.
    • Less custom code around key management and permissions.

  • Stronger security posture

    • Keys managed on a platform designed for API security.
    • Automatic expiration, centralized revocation, and fast global propagation.
    • RBAC and granular permissions built in.

  • Better observability and billing capabilities

    • Usage tracking per key and per customer.
    • Easier implementation of usage-based or tiered pricing.

  • Faster global experience

    • Global low latency across clouds and regions.
    • Rate limiting decisions made quickly and consistently anywhere your users are.

Practical next steps

To move forward from your current setup (API keys in Postgres, rate limits in Redis):

  1. Set up Unkey in a staging environment and mirror a subset of keys and rate limit rules.
  2. Instrument dual-run logic so that Unkey validates keys and rates requests in shadow mode while Redis remains the source of truth.
  3. Iterate on configuration until Unkey’s decisions match your expectations.
  4. Switch production key validation to Unkey, keeping Postgres as a temporary backup if needed.
  5. Switch rate limiting enforcement from Redis to Unkey and monitor performance and correctness.
  6. Retire legacy logic and infrastructure as confidence grows.

By following this phased approach, you can move from self-managed Redis and Postgres-based key storage to Unkey with minimal user impact, while gaining a more secure, scalable, and globally performant foundation for your API.

Back to API Access Management

Keep Reading

More from API Access Management

How do I contact Unkey for Enterprise (IP whitelisting, custom quotas, dedicated support) and what info do they need?

Read more

Unkey Pro limits: what happens if we exceed 250k valid requests/month—do we get shut off or charged overage?

Read more

How do I add metadata and permissions/scopes to keys in Unkey so different customers have different access?

Read more