fix: verify key curl

[Flo4604]

What does this PR do?

Updates the curl example to use the V2 endpoint instead of V1

Also adds a warning for people to ensure the verify permissions, I think we can get rid of that later at some point but we should rather tell people before.

Type of change

• Bug fix (non-breaking change which fixes an issue)
• Chore (refactoring code, technical debt, workflow improvements)
• Enhancement (small improvements)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update

How should this be tested?

• Test A
• Test B

Checklist

Create a key, see warning and correct CURL example.

Required

• Filled out the "How to test" section in this PR
• Read Contributing Guide
• Self-reviewed my own code
• Commented on my code in hard-to-understand areas
• Ran pnpm build
• Ran pnpm fmt
• Checked for warnings, there are none
• Removed all console.logs
• Merged the latest changes from main onto my branch with git pull origin main
• My changes don't cause any responsiveness issues

Appreciated

• If a UI change was made: Added a screen recording or screenshots to this PR
• Updated the Unkey Docs if changes were necessary

Summary by CodeRabbit

• New Features

  • Added an in-app warning alert: "Root Key Required" with guidance on required permissions for verification and a link to learn about root keys.

• Documentation

  • Updated curl example to use https://api.unkey.com and /v2/keys.verifyKey.
  • Added Authorization header: Bearer <UNKEY_ROOT_KEY>.
  • Simplified JSON payload to include only "key" (removed apiId).

[changeset-bot]

⚠️ No Changeset found

Latest commit: fa0b0bc

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
dashboard	Ready	Preview	Comment	Aug 29, 2025 10:06am

1 Skipped Deployment

Project	Deployment	Preview	Comments	Updated (UTC)
engineering	Ignored	Preview		Aug 29, 2025 10:06am

[coderabbitai]

📝 Walkthrough

Walkthrough

Switched the dashboard "Verify Key" curl snippet to POST https://api.unkey.com/v2/keys.verifyKey with an Authorization: Bearer <UNKEY_ROOT_KEY> header, simplified the JSON body to {"key":""}, and added a "Root Key Required" Alert with required-permission guidance and a link.

Changes

Cohort / File(s)	Summary of changes
Dashboard API Key UI apps/dashboard/app/(app)/apis/[apiId]/_components/create-key/components/key-secret-section.tsx	Added imports for Alert, AlertTitle, and AlertDescription; updated curl snippet to POST https://api.unkey.com/v2/keys.verifyKey; added Authorization: Bearer <UNKEY_ROOT_KEY> header; removed apiId from JSON payload (now {"key":"<keyValue>"}); added a "Root Key Required" warning Alert with permission guidance (api.*.verify_key or api.{apiId}.verify_key) and a link to learn about root keys.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor User
  participant UI as "Dashboard UI"
  participant API as "Unkey API\napi.unkey.com"

  User->>UI: Open "Verify Key" snippet
  Note over UI: Shows curl POST /v2/keys.verifyKey\nHeader: Authorization: Bearer <UNKEY_ROOT_KEY>\nBody: {"key":"<keyValue>"}\nDisplays Alert: Root Key Required (api.*.verify_key or api.{apiId}.verify_key)
  User->>API: POST /v2/keys.verifyKey (Auth: Bearer root key, body: {"key":...})
  alt Has required permission
    API-->>User: 200 OK (verification result)
  else Lacks permission
    API-->>User: 4xx Permission error
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• fix: adding apiId field to verify key code snippet #2940 — Edits the verifyKey curl snippet/payload; this PR is directly related (one adds apiId, this PR removes it and switches to v2 with root-key auth).

Suggested reviewers

• perkinsjr
• ogzhanolguncu
• chronark
• mcstepp

Tip

🔌 Remote MCP (Model Context Protocol) integration is now available!

Pro plan users can now connect to remote MCP servers from the Integrations page. Connect with popular remote MCPs such as Notion and Linear to add more context to your reviews and chats.

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 8eb7e58 and fa0b0bc.

📒 Files selected for processing (1)

• apps/dashboard/app/(app)/apis/[apiId]/_components/create-key/components/key-secret-section.tsx (3 hunks)

🧰 Additional context used

📓 Path-based instructions (2)

**/*.{js,jsx,ts,tsx}

📄 CodeRabbit inference engine (CLAUDE.md)

**/*.{js,jsx,ts,tsx}: Use Biome for formatting and linting in TypeScript/JavaScript projects
Prefer named exports over default exports in TypeScript/JavaScript, except for Next.js pages

Files:

• apps/dashboard/app/(app)/apis/[apiId]/_components/create-key/components/key-secret-section.tsx

**/*.{ts,tsx}

📄 CodeRabbit inference engine (CLAUDE.md)

**/*.{ts,tsx}: Follow strict TypeScript configuration
Use Zod for runtime validation in TypeScript projects

Files:

• apps/dashboard/app/(app)/apis/[apiId]/_components/create-key/components/key-secret-section.tsx

🧬 Code graph analysis (1)

apps/dashboard/app/(app)/apis/[apiId]/_components/create-key/components/key-secret-section.tsx (1)

internal/icons/src/icons/circle-info.tsx (1)

• CircleInfo (15-56)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: Test Go API Local / Test
• GitHub Check: Test API / API Test Local
• GitHub Check: Build / Build
• GitHub Check: Analyze (javascript-typescript)

🔇 Additional comments (1)

apps/dashboard/app/(app)/apis/[apiId]/_components/create-key/components/key-secret-section.tsx (1)

4-4: LGTM: UI Alert imports are correct and used

Import path and named imports align with usage below.

✨ Finishing Touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/verify-key-curl

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbit in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbit in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbit gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbit read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbit help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbit ignore or @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbit summary or @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbit or @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[github-actions]

Thank you for following the naming conventions for pull request titles! 🙏

[perkinsjr]

What's a root key?

How can I find a root key?

The first two questions that will be asked.

This dialog doesn't provide that info and also doesn't provide a way for me to get there.

The dialog change is fine, but we gotta guide first time users somewhere

[ogzhanolguncu]

Light mode is broken I guess and probably the reason is, our dashboard uses a different type of ordering for colors. E.g. bg-gray-3, text-warningA-3 .... Let's replace those with appropriate values.

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

apps/dashboard/app/(app)/apis/[apiId]/_components/create-key/components/key-secret-section.tsx (1)

64-71: Clipboard copies the real key even when the snippet is hidden

When the key is masked in the UI, CopyButton still copies the unmasked snippet, which can cause accidental leakage. Make clipboard content mirror visibility.

Apply:

-          copyButton={<CopyButton value={snippet} />}
+          copyButton={
+            <CopyButton
+              value={showKeyInSnippet ? snippet : snippet.replace(keyValue, maskedKey)}
+            />
+          }

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 1cc6af7 and d299559.

📒 Files selected for processing (1)

• apps/dashboard/app/(app)/apis/[apiId]/_components/create-key/components/key-secret-section.tsx (3 hunks)

🧰 Additional context used

📓 Path-based instructions (2)

**/*.{js,jsx,ts,tsx}

📄 CodeRabbit inference engine (CLAUDE.md)

**/*.{js,jsx,ts,tsx}: Use Biome for formatting and linting in TypeScript/JavaScript projects
Prefer named exports over default exports in TypeScript/JavaScript, except for Next.js pages

Files:

• apps/dashboard/app/(app)/apis/[apiId]/_components/create-key/components/key-secret-section.tsx

**/*.{ts,tsx}

📄 CodeRabbit inference engine (CLAUDE.md)

**/*.{ts,tsx}: Follow strict TypeScript configuration
Use Zod for runtime validation in TypeScript projects

Files:

• apps/dashboard/app/(app)/apis/[apiId]/_components/create-key/components/key-secret-section.tsx

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Test API / API Test Local
• GitHub Check: Test Go API Local / Test
• GitHub Check: Build / Build

🔇 Additional comments (2)

apps/dashboard/app/(app)/apis/[apiId]/_components/create-key/components/key-secret-section.tsx (2)

33-36: ✅ Verification Complete: No Changes Needed

The key-secret-section.tsx component correctly uses the v2 endpoint and the permission names align with server-side checks:

• The curl snippet in apps/dashboard/app/(app)/apis/[apiId]/_components/create-key/components/key-secret-section.tsx points to /v2/keys.verifyKey (not v1) and includes the right headers.
• Permission keys throughout the codebase are consistently defined as "verify_key" (plural snake_case) and referenced as api.*.verify_key or api.{apiId}.verify_key, matching both the TypeScript UI and Go server handlers.

No outstanding inconsistencies or deprecated v1 references remain in this component.

---

4-4: Alert “warn” variant is valid – no changes required; the alertVariants definition in apps/dashboard/components/ui/alert.tsx explicitly includes warn alongside default and alert.

[ogzhanolguncu]

Complementary to James comment, I think redirecting users to a root key creation screen with required permissions selected would be dope.

[Flo4604]

I fixed the light mode version in the second commit.

Should we direct users to settings/root-keys, but its not like that site explains what a root key is or does

[ogzhanolguncu]

Btw that screenshot was after your light fix commit.

And we can do something like this , like click here to create required permissions for root key bla bla - Text could be better tho
image.png

[perkinsjr]

A minor update to these docs

Link docs: https://www.unkey.com/docs/security/root-keys#root-keys

Then send them to root keys, if they don’t read it, that’s fine but then we’ve done our due diligence.

[Flo4604]

It looks like this now:
CleanShot 2025-08-22 at 16.16.04.png
CleanShot 2025-08-22 at 16.16.27.png

[ogzhanolguncu]

bg-gray-100 dark:bg-gray-800 can you replace those with properly with our colors? bg-gray-3`, `text-warningA-3 whatever looks good

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

apps/dashboard/app/(app)/apis/[apiId]/_components/create-key/components/key-secret-section.tsx (1)

68-71: Ensure copied value matches displayed (masked vs. unmasked) snippet

CopyButton is currently wired to always copy the full secret (snippet), even when the UI shows a masked version—this can inadvertently expose the key when users expect it to remain hidden.

• Location:

• apps/dashboard/app/(app)/apis/[apiId]/_components/create-key/components/key-secret-section.tsx, lines 68–71

• Suggested change:

-          copyButton={<CopyButton value={snippet} />}
+          copyButton={
+            <CopyButton
+              value={
+                showKeyInSnippet
+                  ? snippet
+                  : snippet.replace(keyValue, maskedKey)
+              }
+            />
+          }

• Alternative: if the intent is to always copy the real key (for convenience), surface that decision in the UI—e.g., add helper text like “Copies full secret, even when masked” next to the button.

♻️ Duplicate comments (1)

apps/dashboard/app/(app)/apis/[apiId]/_components/create-key/components/key-secret-section.tsx (1)

32-39: Harden the curl snippet: trim base URL, prefer env for secret, and make JSON body construction safe

Avoid double “//” when NEXT_PUBLIC_UNKEY_API_URL ends with a slash, encourage env usage for the root key, add curl flags that fail fast, and build the JSON body via JSON.stringify to prevent quoting/escaping pitfalls if keyValue ever contains special characters.

Apply:

-  const snippet = `curl -XPOST '${
-    process.env.NEXT_PUBLIC_UNKEY_API_URL ?? "https://api.unkey.com"
-  }/v2/keys.verifyKey' \\
-  -H 'Authorization: Bearer <UNKEY_ROOT_KEY>' \\
-  -H 'Content-Type: application/json' \\
-  -d '{
-    "key": "${keyValue}"
-  }'`;
+  const baseUrl = (process.env.NEXT_PUBLIC_UNKEY_API_URL ?? "https://api.unkey.com").replace(/\/+$/, "");
+  const body = JSON.stringify({ key: keyValue });
+  const snippet = `curl -sSf -X POST "${baseUrl}/v2/keys.verifyKey" \
+  -H "Authorization: Bearer $UNKEY_ROOT_KEY" \
+  -H "Content-Type: application/json" \
+  -d '${body}'`;

Notes:

• -sSf keeps output clean and treats non-2xx responses as failures.
• Double quotes on the Authorization header enable $UNKEY_ROOT_KEY expansion in POSIX shells.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between d299559 and 605db89.

📒 Files selected for processing (1)

• apps/dashboard/app/(app)/apis/[apiId]/_components/create-key/components/key-secret-section.tsx (3 hunks)

🧰 Additional context used

📓 Path-based instructions (2)

**/*.{js,jsx,ts,tsx}

📄 CodeRabbit inference engine (CLAUDE.md)

**/*.{js,jsx,ts,tsx}: Use Biome for formatting and linting in TypeScript/JavaScript projects
Prefer named exports over default exports in TypeScript/JavaScript, except for Next.js pages

Files:

• apps/dashboard/app/(app)/apis/[apiId]/_components/create-key/components/key-secret-section.tsx

**/*.{ts,tsx}

📄 CodeRabbit inference engine (CLAUDE.md)

**/*.{ts,tsx}: Follow strict TypeScript configuration
Use Zod for runtime validation in TypeScript projects

Files:

• apps/dashboard/app/(app)/apis/[apiId]/_components/create-key/components/key-secret-section.tsx

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: Test API / API Test Local
• GitHub Check: Test Go API Local / Test
• GitHub Check: Build / Build
• GitHub Check: Analyze (javascript-typescript)

🔇 Additional comments (1)

apps/dashboard/app/(app)/apis/[apiId]/_components/create-key/components/key-secret-section.tsx (1)

4-4: LGTM on UI Alert imports

Imports look correct and suit client components. No concerns here.

[Flo4604]

Sure

[ogzhanolguncu]

lemme check 🫡

[ogzhanolguncu]

@Flo4604 some context: css automatically switches between light and dark because both are defined in our shared css file you don't need to define it separately(I know you didnt) just saying 😄

[ogzhanolguncu]

@Flo4604

<Alert variant="warn">
          <div className="flex items-start mb-1 gap-2">
            <CircleInfo size="lg-regular" aria-hidden="true" className="flex-shrink-0" />
            <div>
              <AlertTitle className="mb-1">Root Key Required</AlertTitle>
              <AlertDescription className="text-gray-12">
                To verify keys, you'll need a root key with{" "}
                <code className="bg-gray-3 px-1 rounded text-xs">api.*.verify_key</code> or{" "}
                <code className="bg-gray-3 px-1 rounded text-xs">api.{apiId}.verify_key</code>{" "}
                permission.
                <br />
                <a
                  href="https://www.unkey.com/docs/security/root-keys"
                  target="_blank"
                  rel="noopener noreferrer"
                  className="text-info-11 hover:underline"
                >
                  Learn more about root keys
                </a>
              </AlertDescription>
            </div>
          </div>
        </Alert>

Let's do it like this colors are pretty much the same, but layouting is a bit different. It's always better to align your items with flex or grid rather than manually tweaking with margins or padding.

[Flo4604]

will do

[ogzhanolguncu]

@Flo4604 let's do the changes I requested and merge this

[Flo4604]

this is how it looks now
CleanShot 2025-08-29 at 12.01.40.png
CleanShot 2025-08-29 at 12.02.02.png

[ogzhanolguncu]

🫡

[ogzhanolguncu]

LGTM

[graphite-app]

[graphite-app]

Graphite Automations

"Post a GIF when PR approved" took an action on this PR • (08/29/25)

1 gif was posted to this PR based on Andreas Thomas's automation.