unkeyed · chronark · Jul 31, 2025 · Jul 31, 2025 · Jul 31, 2025 · Jul 31, 2025
@@ -2180,7 +2180,6 @@ components:
                 description: {}
             required:
                 - externalId
-                - ratelimits
         RatelimitResponse:
             type: object
             properties:
@@ -2460,7 +2459,6 @@ components:
             required:
                 - id
                 - name
-                - permissions
             additionalProperties: false
         V2KeysCreateKeyResponseData:
             type: object
@@ -2811,7 +2809,7 @@ components:
             type: object
             properties:
                 role:
-                    "$ref": "#/components/schemas/role"
+                    "$ref": "#/components/schemas/Role"
             required:
                 - role
             additionalProperties: false
@@ -2827,7 +2825,7 @@ components:
             maxItems: 1000
             description: Array of roles with their assigned permissions.
             items:
-                "$ref": "#/components/schemas/role"
+                "$ref": "#/components/schemas/Role"
         V2RatelimitDeleteOverrideResponseData:
             type: object
             additionalProperties: false

@@ -13,4 +13,3 @@ properties:
   description: Identity ratelimits
 required:
   - externalId
-  - ratelimits
@@ -37,5 +37,4 @@ properties:
 required:
   - id
   - name
-  - permissions
 additionalProperties: false
@@ -1,7 +1,7 @@
 type: object
 properties:
   role:
-    "$ref": "../../../../common/role.yaml"
+    "$ref": "../../../../common/Role.yaml"
 required:
   - role
 additionalProperties: false

@@ -2,4 +2,4 @@ type: array
 maxItems: 1000
 description: Array of roles with their assigned permissions.
 items:
-  "$ref": "../../../../common/role.yaml"
+  "$ref": "../../../../common/Role.yaml"
@@ -327,11 +327,11 @@ func (h *Handler) Handle(ctx context.Context, s *zen.Session) error {
 			Identity:    nil,
 			Meta:        nil,
 			Name:        nil,
-			Permissions: nil,
 			Plaintext:   nil,
+			UpdatedAt:   nil,
 			Ratelimits:  nil,
+			Permissions: nil,
 			Roles:       nil,
-			UpdatedAt:   nil,
 		}
 
 		if key.Key.Name.Valid {
@@ -411,7 +411,7 @@ func (h *Handler) Handle(ctx context.Context, s *zen.Session) error {
 					}
 				}
 
-				k.Identity.Ratelimits = ratelimitsResponse
+				k.Identity.Ratelimits = ptr.P(ratelimitsResponse)
 			}
 		}
 
@@ -423,7 +423,10 @@ func (h *Handler) Handle(ctx context.Context, s *zen.Session) error {
 			return fault.Wrap(err, fault.Code(codes.App.Internal.UnexpectedError.URN()),
 				fault.Internal("unable to find permissions for key"), fault.Public("Could not load permissions for key."))
 		}
-		k.Permissions = ptr.P(permissionSlugs)
+
+		if len(permissionSlugs) > 0 {
+			k.Permissions = ptr.P(permissionSlugs)
+		}
 
 		// Get roles for the key
 		roles, err := db.Query.ListRolesByKeyID(ctx, h.DB.RO(), k.KeyId)
@@ -432,12 +435,14 @@ func (h *Handler) Handle(ctx context.Context, s *zen.Session) error {
 				fault.Internal("unable to find roles for key"), fault.Public("Could not load roles for key."))
 		}
 
-		roleNames := make([]string, len(roles))
-		for i, role := range roles {
-			roleNames[i] = role.Name
-		}
+		if len(roles) > 0 {
+			roleNames := make([]string, len(roles))
+			for i, role := range roles {
+				roleNames[i] = role.Name
+			}
 
-		k.Roles = ptr.P(roleNames)
+			k.Roles = ptr.P(roleNames)
+		}
 
 		// Add ratelimits for the key
 		if keyRatelimits, exists := ratelimitsMap[k.KeyId]; exists {

@@ -105,9 +105,9 @@ func TestSuccess(t *testing.T) {
 
 					// Check if this identity should have ratelimits
 					if i%2 == 0 {
-						require.GreaterOrEqual(t, len(identity.Ratelimits), 1, "identity %s should have at least 1 ratelimit", id)
+						require.GreaterOrEqual(t, len(*identity.Ratelimits), 1, "identity %s should have at least 1 ratelimit", id)
 						hasApiCallsLimit := false
-						for _, rl := range identity.Ratelimits {
+						for _, rl := range *identity.Ratelimits {
 							if rl.Name == "api_calls" {
 								hasApiCallsLimit = true
 								assert.Equal(t, int64(100), rl.Limit)
@@ -360,8 +360,7 @@ func TestSuccess(t *testing.T) {
 				require.NotNil(t, *identity.Meta, "Meta should be a valid map")
 			}
 
-			// Ratelimits should always be present
-			require.NotNil(t, identity.Ratelimits, "Ratelimits should be a valid array")
+			require.NotNil(t, identity.Ratelimits, "Ratelimits should be set")
 		}
 	})
 }
@@ -126,10 +126,14 @@ func (h *Handler) Handle(ctx context.Context, s *zen.Session) error {
 		// Create a new identity with its ratelimits
 		newIdentity := openapi.Identity{
 			ExternalId: identity.ExternalID,
-			Ratelimits: formattedRatelimits,
+			Ratelimits: nil,
 			Meta:       nil,
 		}
 
+		if len(formattedRatelimits) > 0 {
+			newIdentity.Ratelimits = ptr.P(formattedRatelimits)
+		}
+
 		// Add metadata if available
 		if len(identity.Meta) > 0 {
 			// Initialize the Meta field with an empty map

@@ -124,8 +124,7 @@ func TestSuccess(t *testing.T) {
 		assert.Equal(t, true, meta["active"])
 
 		// Verify no ratelimits
-		require.NotNil(t, res.Body.Data.Ratelimits)
-		assert.Empty(t, res.Body.Data.Ratelimits)
+		require.Nil(t, res.Body.Data.Ratelimits)
 	})
 
 	t.Run("update ratelimits - add new, update existing, delete one", func(t *testing.T) {
@@ -161,16 +160,16 @@ func TestSuccess(t *testing.T) {
 
 		// Verify exactly 2 ratelimits (should have removed 'special_feature')
 		require.NotNil(t, res.Body.Data.Ratelimits)
-		require.Len(t, res.Body.Data.Ratelimits, 2)
+		require.Len(t, *res.Body.Data.Ratelimits, 2)
 
 		// Check ratelimit values
 		var apiCallsLimit, newFeatureLimit *openapi.RatelimitResponse
-		for i := range res.Body.Data.Ratelimits {
-			switch (res.Body.Data.Ratelimits)[i].Name {
+		for i := range *res.Body.Data.Ratelimits {
+			switch (*res.Body.Data.Ratelimits)[i].Name {
 			case "api_calls":
-				apiCallsLimit = &(res.Body.Data.Ratelimits)[i]
+				apiCallsLimit = &(*res.Body.Data.Ratelimits)[i]
 			case "new_feature":
-				newFeatureLimit = &(res.Body.Data.Ratelimits)[i]
+				newFeatureLimit = &(*res.Body.Data.Ratelimits)[i]
 			}
 		}
 
@@ -186,7 +185,7 @@ func TestSuccess(t *testing.T) {
 		assert.Equal(t, int64(86400000), newFeatureLimit.Duration)
 
 		// Verify 'special_feature' was removed
-		for _, rl := range res.Body.Data.Ratelimits {
+		for _, rl := range *res.Body.Data.Ratelimits {
 			assert.NotEqual(t, "special_feature", rl.Name, "special_feature should have been removed")
 		}
 	})
@@ -207,8 +206,7 @@ func TestSuccess(t *testing.T) {
 		require.Equal(t, externalID, res.Body.Data.ExternalId)
 
 		// Verify no ratelimits
-		require.NotNil(t, res.Body.Data.Ratelimits)
-		assert.Empty(t, res.Body.Data.Ratelimits)
+		require.Nil(t, res.Body.Data.Ratelimits)
 	})
 
 	t.Run("clear metadata", func(t *testing.T) {
@@ -263,8 +261,8 @@ func TestSuccess(t *testing.T) {
 
 		// Verify ratelimits
 		require.NotNil(t, res.Body.Data.Ratelimits)
-		require.Len(t, res.Body.Data.Ratelimits, 1)
-		rlimits := res.Body.Data.Ratelimits
+		require.Len(t, *res.Body.Data.Ratelimits, 1)
+		rlimits := *res.Body.Data.Ratelimits
 		assert.Equal(t, "enterprise_feature", rlimits[0].Name)
 		assert.Equal(t, int64(50), rlimits[0].Limit)
 		assert.Equal(t, int64(3600000), rlimits[0].Duration)

@@ -16,6 +16,7 @@ import (
 	"github.com/unkeyed/unkey/go/pkg/db"
 	"github.com/unkeyed/unkey/go/pkg/fault"
 	"github.com/unkeyed/unkey/go/pkg/otel/logging"
+	"github.com/unkeyed/unkey/go/pkg/ptr"
 	"github.com/unkeyed/unkey/go/pkg/rbac"
 	"github.com/unkeyed/unkey/go/pkg/uid"
 	"github.com/unkeyed/unkey/go/pkg/zen"
@@ -391,15 +392,21 @@ func (h *Handler) Handle(ctx context.Context, s *zen.Session) error {
 		})
 	}
 
+	identityData := openapi.Identity{
+		ExternalId: req.ExternalId,
+		Meta:       req.Meta,
+		Ratelimits: nil,
+	}
+
+	if len(responseRatelimits) > 0 {
+		identityData.Ratelimits = ptr.P(responseRatelimits)
+	}
+
 	response := Response{
 		Meta: openapi.Meta{
 			RequestId: s.RequestID(),
 		},
-		Data: openapi.Identity{
-			ExternalId: req.ExternalId,
-			Meta:       req.Meta,
-			Ratelimits: responseRatelimits,
-		},
+		Data: identityData,
 	}
 
 	return s.JSON(http.StatusOK, response)

@@ -17,6 +17,7 @@ import (
 	"github.com/unkeyed/unkey/go/pkg/db"
 	"github.com/unkeyed/unkey/go/pkg/fault"
 	"github.com/unkeyed/unkey/go/pkg/otel/logging"
+	"github.com/unkeyed/unkey/go/pkg/ptr"
 	"github.com/unkeyed/unkey/go/pkg/rbac"
 	"github.com/unkeyed/unkey/go/pkg/zen"
 )
@@ -246,6 +247,7 @@ func (h *Handler) Handle(ctx context.Context, s *zen.Session) error {
 			Id:          role.ID,
 			Name:        role.Name,
 			Description: nil,
+			Permissions: nil,
 		}
 
 		if role.Description.Valid {
@@ -254,6 +256,8 @@ func (h *Handler) Handle(ctx context.Context, s *zen.Session) error {
 
 		rolePermissions := make([]db.Permission, 0)
 		json.Unmarshal(role.Permissions.([]byte), &rolePermissions)
+
+		perms := make([]openapi.Permission, 0)
 		for _, permission := range rolePermissions {
 			perm := openapi.Permission{
 				Id:          permission.ID,
@@ -266,7 +270,11 @@ func (h *Handler) Handle(ctx context.Context, s *zen.Session) error {
 				perm.Description = &permission.Description.String
 			}
 
-			r.Permissions = append(r.Permissions, perm)
+			perms = append(perms, perm)
+		}
+
+		if len(perms) > 0 {
+			r.Permissions = ptr.P(perms)
 		}
 
 		responseData = append(responseData, r)

@@ -276,15 +276,20 @@ func (h *Handler) Handle(ctx context.Context, s *zen.Session) error {
 			)
 		}
 
+		identityRatelimits := make([]openapi.RatelimitResponse, 0)
 		for _, ratelimit := range ratelimits {
-			k.Identity.Ratelimits = append(k.Identity.Ratelimits, openapi.RatelimitResponse{
+			identityRatelimits = append(identityRatelimits, openapi.RatelimitResponse{
 				Id:        ratelimit.ID,
 				Duration:  ratelimit.Duration,
 				Limit:     int64(ratelimit.Limit),
 				Name:      ratelimit.Name,
 				AutoApply: ratelimit.AutoApply,
 			})
 		}
+
+		if len(identityRatelimits) > 0 {
+			k.Identity.Ratelimits = ptr.P(identityRatelimits)
+		}
 	}
 
 	ratelimits, err := db.Query.ListRatelimitsByKeyID(ctx, h.DB.RO(), sql.NullString{String: key.ID, Valid: true})