unkeyed · chronark · Oct 9, 2025 · Oct 5, 2025 · Oct 5, 2025 · Oct 5, 2025
@@ -30,7 +30,7 @@ type Handler struct {
 	DB        db.Database
 	Keys      keys.KeyService
 	Auditlogs auditlogs.AuditLogService
-	KeyCache  cache.Cache[string, db.FindKeyForVerificationRow]
+	KeyCache  cache.Cache[string, db.CachedKeyData]
 }
 
 // Method returns the HTTP method this route responds to

@@ -29,7 +29,7 @@ type Handler struct {
 	DB        db.Database
 	Keys      keys.KeyService
 	Auditlogs auditlogs.AuditLogService
-	KeyCache  cache.Cache[string, db.FindKeyForVerificationRow]
+	KeyCache  cache.Cache[string, db.CachedKeyData]
 }
 
 // Method returns the HTTP method this route responds to

@@ -30,7 +30,7 @@ type Handler struct {
 	DB        db.Database
 	Keys      keys.KeyService
 	Auditlogs auditlogs.AuditLogService
-	KeyCache  cache.Cache[string, db.FindKeyForVerificationRow]
+	KeyCache  cache.Cache[string, db.CachedKeyData]
 }
 
 // Method returns the HTTP method this route responds to

@@ -28,7 +28,7 @@ type Handler struct {
 	DB        db.Database
 	Keys      keys.KeyService
 	Auditlogs auditlogs.AuditLogService
-	KeyCache  cache.Cache[string, db.FindKeyForVerificationRow]
+	KeyCache  cache.Cache[string, db.CachedKeyData]
 }
 
 // Method returns the HTTP method this route responds to

@@ -29,7 +29,7 @@ type Handler struct {
 	DB        db.Database
 	Keys      keys.KeyService
 	Auditlogs auditlogs.AuditLogService
-	KeyCache  cache.Cache[string, db.FindKeyForVerificationRow]
+	KeyCache  cache.Cache[string, db.CachedKeyData]
 }
 
 // Method returns the HTTP method this route responds to

@@ -31,7 +31,7 @@ type Handler struct {
 	DB        db.Database
 	Keys      keys.KeyService
 	Auditlogs auditlogs.AuditLogService
-	KeyCache  cache.Cache[string, db.FindKeyForVerificationRow]
+	KeyCache  cache.Cache[string, db.CachedKeyData]
 }
 
 // Method returns the HTTP method this route responds to

@@ -30,7 +30,7 @@ type Handler struct {
 	DB        db.Database
 	Keys      keys.KeyService
 	Auditlogs auditlogs.AuditLogService
-	KeyCache  cache.Cache[string, db.FindKeyForVerificationRow]
+	KeyCache  cache.Cache[string, db.CachedKeyData]
 }
 
 // Method returns the HTTP method this route responds to

@@ -31,7 +31,7 @@ type Handler struct {
 	DB           db.Database
 	Keys         keys.KeyService
 	Auditlogs    auditlogs.AuditLogService
-	KeyCache     cache.Cache[string, db.FindKeyForVerificationRow]
+	KeyCache     cache.Cache[string, db.CachedKeyData]
 	UsageLimiter usagelimiter.Service
 }
 

@@ -35,7 +35,7 @@ type Handler struct {
 	DB           db.Database
 	Keys         keys.KeyService
 	Auditlogs    auditlogs.AuditLogService
-	KeyCache     cache.Cache[string, db.FindKeyForVerificationRow]
+	KeyCache     cache.Cache[string, db.CachedKeyData]
 	UsageLimiter usagelimiter.Service
 }
 

@@ -30,8 +30,8 @@ type Caches struct {
 	// HostName -> Certificate
 	TLSCertificate cache.Cache[string, tls.Certificate]
 
-	// KeyHash -> Key verification data (for keys service)
-	VerificationKeyByHash cache.Cache[string, db.FindKeyForVerificationRow]
+	// KeyHash -> Key verification data with pre-parsed IP whitelist (for keys service)
+	VerificationKeyByHash cache.Cache[string, db.CachedKeyData]
 }
 
 // Config defines the configuration options for initializing caches.
@@ -108,7 +108,7 @@ func New(config Config) (Caches, error) {
 		return Caches{}, fmt.Errorf("failed to create certificate cache: %w", err)
 	}
 
-	verificationKeyByHash, err := cache.New(cache.Config[string, db.FindKeyForVerificationRow]{
+	verificationKeyByHash, err := cache.New(cache.Config[string, db.CachedKeyData]{
 		Fresh:    time.Minute,
 		Stale:    time.Minute * 10,
 		Logger:   config.Logger,

@@ -17,9 +17,9 @@ type Caches struct {
 	// Keys are cache.ScopedKey and values are db.FindRatelimitNamespace.
 	RatelimitNamespace cache.Cache[cache.ScopedKey, db.FindRatelimitNamespace]
 
-	// VerificationKeyByHash caches verification key lookups by their hash.
-	// Keys are string (hash) and values are db.VerificationKey.
-	VerificationKeyByHash cache.Cache[string, db.FindKeyForVerificationRow]
+	// VerificationKeyByHash caches verification key lookups by their hash with pre-parsed data.
+	// Keys are string (hash) and values are db.CachedKeyData (includes pre-parsed IP whitelist).
+	VerificationKeyByHash cache.Cache[string, db.CachedKeyData]
 
 	// LiveApiByID caches live API lookups by ID.
 	// Keys are string (ID) and values are db.FindLiveApiByIDRow.
@@ -77,7 +77,7 @@ func New(config Config) (Caches, error) {
 		return Caches{}, err
 	}
 
-	verificationKeyByHash, err := cache.New(cache.Config[string, db.FindKeyForVerificationRow]{
+	verificationKeyByHash, err := cache.New(cache.Config[string, db.CachedKeyData]{
 		Fresh:    10 * time.Second,
 		Stale:    10 * time.Minute,
 		Logger:   config.Logger,

@@ -4,6 +4,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"strings"
 	"time"
 
 	"github.com/unkeyed/unkey/go/internal/services/caches"
@@ -67,11 +68,31 @@ func (s *service) Get(ctx context.Context, sess *zen.Session, rawKey string) (*K
 	}
 
 	h := hash.Sha256(rawKey)
-	key, hit, err := s.keyCache.SWR(ctx, h, func(ctx context.Context) (db.FindKeyForVerificationRow, error) {
+	key, hit, err := s.keyCache.SWR(ctx, h, func(ctx context.Context) (db.CachedKeyData, error) {
 		// Use database retry with exponential backoff, skipping non-transient errors
-		return db.WithRetry(func() (db.FindKeyForVerificationRow, error) {
+		row, err := db.WithRetry(func() (db.FindKeyForVerificationRow, error) {
 			return db.Query.FindKeyForVerification(ctx, s.db.RO(), h)
 		})
+		if err != nil {
+			return db.CachedKeyData{}, err
+		}
+
+		// Parse IP whitelist once during cache population for performance
+		parsedIPWhitelist := make(map[string]struct{})
+		if row.IpWhitelist.Valid && row.IpWhitelist.String != "" {
+			ips := strings.Split(row.IpWhitelist.String, ",")
+			for _, ip := range ips {
+				trimmed := strings.TrimSpace(ip)
+				if trimmed != "" {
+					parsedIPWhitelist[trimmed] = struct{}{}
+				}
+			}
+		}
+
+		return db.CachedKeyData{
+			FindKeyForVerificationRow: row,
+			ParsedIPWhitelist:         parsedIPWhitelist,
+		}, nil
 	}, caches.DefaultFindFirstOp)
 
 	if err != nil {
@@ -107,6 +128,7 @@ func (s *service) Get(ctx context.Context, sess *zen.Session, rawKey string) (*K
 		}, emptyLog, nil
 	}
 
+	// Workspace is disabled or the key is not allowed to be used for workspace operations
 	if !key.WorkspaceEnabled || (key.ForWorkspaceEnabled.Valid && !key.ForWorkspaceEnabled.Bool) {
 		// nolint:exhaustruct
 		kv := &KeyVerifier{
@@ -121,7 +143,7 @@ func (s *service) Get(ctx context.Context, sess *zen.Session, rawKey string) (*K
 			usageLimiter:          s.usageLimiter,
 			AuthorizedWorkspaceID: key.WorkspaceID,
 			isRootKey:             key.ForWorkspaceID.Valid,
-			Key:                   key,
+			Key:                   key.FindKeyForVerificationRow,
 		}
 
 		return kv, kv.log, nil
@@ -180,7 +202,7 @@ func (s *service) Get(ctx context.Context, sess *zen.Session, rawKey string) (*K
 	}
 
 	kv := &KeyVerifier{
-		Key:                   key,
+		Key:                   key.FindKeyForVerificationRow,
 		clickhouse:            s.clickhouse,
 		rateLimiter:           s.raterLimiter,
 		usageLimiter:          s.usageLimiter,
@@ -193,11 +215,12 @@ func (s *service) Get(ctx context.Context, sess *zen.Session, rawKey string) (*K
 		isRootKey:             key.ForWorkspaceID.Valid,
 
 		// By default we assume the key is valid unless proven otherwise
-		Status:           StatusValid,
-		ratelimitConfigs: ratelimitConfigs,
-		Roles:            roles,
-		Permissions:      permissions,
-		RatelimitResults: nil,
+		Status:            StatusValid,
+		ratelimitConfigs:  ratelimitConfigs,
+		parsedIPWhitelist: key.ParsedIPWhitelist, // Use pre-parsed IPs from cache
+		Roles:             roles,
+		Permissions:       permissions,
+		RatelimitResults:  nil,
 	}
 
 	if key.DeletedAtM.Valid {

@@ -20,7 +20,7 @@ type Config struct {
 	Region       string                // Geographic region identifier
 	UsageLimiter usagelimiter.Service  // Redis Counter for usage limiting
 
-	KeyCache cache.Cache[string, db.FindKeyForVerificationRow] // Cache for key lookups
+	KeyCache cache.Cache[string, db.CachedKeyData] // Cache for key lookups with pre-parsed data
 }
 
 type service struct {
@@ -32,8 +32,8 @@ type service struct {
 	clickhouse   clickhouse.ClickHouse
 	region       string
 
-	// hash -> key
-	keyCache cache.Cache[string, db.FindKeyForVerificationRow]
+	// hash -> cached key data (includes pre-parsed IP whitelist)
+	keyCache cache.Cache[string, db.CachedKeyData]
 }
 
 // New creates a new keys service instance with the provided configuration.

@@ -4,11 +4,8 @@ import (
 	"context"
 	"database/sql"
 	"fmt"
-	"strings"
 	"time"
 
-	"slices"
-
 	"github.com/unkeyed/unkey/go/apps/api/openapi"
 	"github.com/unkeyed/unkey/go/internal/services/ratelimit"
 	"github.com/unkeyed/unkey/go/internal/services/usagelimiter"
@@ -58,7 +55,7 @@ func (k *KeyVerifier) withIPWhitelist() error {
 		return nil
 	}
 
-	if !k.Key.IpWhitelist.Valid {
+	if len(k.parsedIPWhitelist) == 0 {
 		return nil
 	}
 
@@ -69,12 +66,7 @@ func (k *KeyVerifier) withIPWhitelist() error {
 		return nil
 	}
 
-	allowedIPs := strings.Split(k.Key.IpWhitelist.String, ",")
-	for i, ip := range allowedIPs {
-		allowedIPs[i] = strings.TrimSpace(ip)
-	}
-
-	if !slices.Contains(allowedIPs, clientIP) {
+	if _, ok := k.parsedIPWhitelist[clientIP]; !ok {
 		k.setInvalid(StatusForbidden, fmt.Sprintf("client IP %s is not in the whitelist", clientIP))
 	}
 

@@ -39,7 +39,8 @@ type KeyVerifier struct {
 	ratelimitConfigs map[string]db.KeyFindForVerificationRatelimit // Rate limits configured for this key (name -> config)
 	RatelimitResults map[string]RatelimitConfigAndResult           // Combined config and results for rate limits (name -> config+result)
 
-	isRootKey bool // Whether this is a root key (special handling)
+	parsedIPWhitelist map[string]struct{} // Pre-parsed IP whitelist for O(1) lookup
+	isRootKey         bool                // Whether this is a root key (special handling)
 
 	message string   // Internal message for validation failures
 	tags    []string // Tags associated with this verification

@@ -0,0 +1,8 @@
+package db
+
+// CachedKeyData embeds FindKeyForVerificationRow and adds pre-processed data for caching.
+// This struct is stored in the cache to avoid redundant parsing operations.
+type CachedKeyData struct {
+	FindKeyForVerificationRow
+	ParsedIPWhitelist map[string]struct{} // Pre-parsed IP addresses for O(1) lookup
+}