Unkey
An open-source developer platform for API infrastructure — issue and verify API keys, enforce global rate limits, route traffic through a gateway, and get per-key analytics and audit logs.
Unkey is a self-hostable API infrastructure platform built in Go, covering the pieces most teams end up hand-rolling when they ship an API: key issuance and fast global verification, rate limiting that stays consistent across regions, per-key permissions and RBAC, a traffic gateway, and usage analytics backed by ClickHouse.
The codebase is organized as a set of internal services rather than a monolith — a gateway component handles routing and traffic shaping, a permissions/auth service enforces RBAC, a control-plane service manages deployments, and a vault service handles secret storage, all communicating over gRPC defined through Protocol Buffers. This mirrors how Unkey’s own hosted cloud runs the same code, just distributed differently.
Most of the repository is AGPLv3-licensed, with the exception of packages under packages/ which carry their own individual licenses (several are permissively licensed SDKs meant for reuse). Unkey also runs a paid hosted cloud version with usage-based pricing starting around $5/month plus a custom enterprise tier, but the self-hosted path uses the same open-source code.
What You Get
- API key issuance, fast global verification, and revocation for machine-to-machine authentication
- Globally consistent rate limiting keyed by any identifier (user, IP, API key, etc.)
- A traffic gateway with routing and per-key permissions/RBAC enforcement
- Usage analytics and immutable audit logs backed by ClickHouse for every request and workspace action
Common Use Cases
- Issuing and verifying API keys for a public API without building key management from scratch
- Enforcing consistent rate limits across a distributed or multi-region API deployment
- Adding per-key permissions and RBAC to an internal or partner-facing API
- Self-hosting API infrastructure instead of depending on Unkey’s hosted cloud for compliance or cost reasons
Under The Hood
Architecture
Unkey is split into distinct services under svc/ — including a gateway-facing component, a permissions/auth service (heimdall), a deployment control-plane (ctrl), a container/deployment orchestrator (krane), and a secrets store (vault) — communicating via gRPC contracts defined in proto/ and built with Buf. Shared logic lives under pkg/ (caching, circuit breakers, ClickHouse client, config, auditlog, etc.), so each service pulls in only the building blocks it needs rather than sharing a single application binary. This service-oriented layout is also what backs Unkey’s own hosted cloud, so self-hosters run structurally the same system.
Tech Stack
Go throughout, with gRPC/Protocol Buffers (managed via Buf) for inter-service communication, ClickHouse for analytics and audit-log storage, Bazel build files present alongside the standard Go toolchain, and Docker/Dockerfile.release for containerized deployment. A separate web/ directory holds the dashboard frontend.
Code Quality
The repo includes a benchmarks/ directory and a dedicated dev/ environment setup, indicating performance is treated as a first-class concern (consistent with rate-limiting and key-verification being latency-sensitive paths); Go’s static typing and the project’s CI-driven, multi-service structure point to a disciplined build process, though verifying test depth per-service would need a deeper per-package look.
What Makes It Unique Rather than being a single API-gateway or a single key-management library, Unkey bundles key verification, rate limiting, RBAC, gateway routing, and analytics into one coherent platform built from shared internal services — the same code path used for both self-hosting and Unkey’s own commercial cloud.
Self-Hosting
Licensing Model
Most of the repository is AGPLv3-licensed; code under packages/ carries its own per-package licenses (several permissive, meant for reuse as SDKs), so check the specific package before assuming AGPL applies to it.
Self-Hosting Restrictions No explicit feature gates were found separating the self-hosted code from what Unkey’s hosted cloud runs — the cloud offering is the same codebase operated as a managed service.
Cloud vs Self-Hosted Unkey’s hosted cloud uses usage-based pricing (Starter/Pro/Business tiers from roughly $5-50/month with included usage credits) plus a custom Enterprise tier with dedicated infrastructure — self-hosting avoids that cost but means operating the multi-service stack (gateway, control plane, vault, ClickHouse) yourself.
License Key Required No.
Related Apps
Ollama
AI Development · Developer Tools
Run Llama, Gemma, DeepSeek, and other open LLMs on your own machine with one command and an OpenAI-compatible API.
Ollama
MITDify
No Code Platforms · AI Development · Developer Tools
Visual LLM workflow platform with RAG pipelines, agent capabilities, and model management for building production AI applications.
Dify
OtherFirecrawl
AI Development · Developer Tools
Turn any website into clean, LLM-ready data with a single API call — no proxy headaches, no scraping complexity.