Principal

engine.Principal is the shared identity shape produced by authentication policies. It decouples the authentication mechanism from downstream authorization decisions and from upstream applications, which receive it as a JSON payload on the X-Unkey-Principal header. The struct is hand-written with encoding/json rather than generated from protobuf. The Principal is output-only (sentinel produces it, apps consume the JSON), so proto-as-IDL buys nothing while fighting the JSON contract we want to expose. The wire format is authoritative. For the full public reference, see the product docs.

Fields

version

string

Schema version of the Principal payload. Currently "v1". Bumped only on breaking changes to the JSON shape.

subject

string

The primary identifier of the authenticated entity. For KeyAuth, this is the identity’s external ID when the key is linked to an identity, otherwise the key ID. For JWTAuth, this is the configured subject claim (default sub).

type

PrincipalType

Which authentication method produced this Principal. API_KEY or JWT. Always matches the populated variant of source.

identity

Identity

The Unkey identity linked to the credential, when present. Absent from the JSON entirely when no identity is linked — never null and never an empty object.

source

Source

Discriminated union over method-specific detail. Contains exactly one populated variant matching type: source.key for API keys, source.jwt for JWT. The variant name is the lowercase of the type (minus the underscore).

What a principal looks like

KeyAuth principal
JWT principal

{
  "version": "v1",
  "subject": "user_abc123",
  "type": "API_KEY",
  "identity": {
    "externalId": "user_abc123",
    "meta": { "plan": "pro" }
  },
  "source": {
    "key": {
      "keyId": "key_xyz",
      "keySpaceId": "ks_abc123",
      "name": "ACME Production",
      "expiresAt": 1717200000000,
      "meta": {},
      "roles": ["admin"],
      "permissions": ["api.read", "api.write"]
    }
  }
}

{
  "version": "v1",
  "subject": "auth0|abc123",
  "type": "JWT",
  "source": {
    "jwt": {
      "header": { "alg": "RS256", "typ": "JWT", "kid": "key-1" },
      "payload": {
        "iss": "https://acme.com",
        "sub": "auth0|abc123",
        "aud": "api.acme.com",
        "exp": 1711310400,
        "email": "user@acme.com",
        "org_id": "org_456"
      },
      "signature": "dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW..."
    }
  }
}

KeyAuth source fields

When produced by a KeyAuth policy, source.key carries the verified key detail. Fields marked optional are omitted from the JSON when unset.

Field	Optional	Description
`keyId`		The ID of the verified key.
`keySpaceId`		The keyspace the key belongs to.
`name`	yes	Human-readable key name, when set.
`expiresAt`	yes	Unix timestamp in milliseconds (JSON number). Omitted when the key has no expiry.
`meta`		Custom key metadata. Always emitted, `{}` when empty.
`roles`	yes	Raw RBAC role names. Omitted when empty.
`permissions`	yes	Raw RBAC permissions. Omitted when empty.

Header propagation

Sentinel serializes the principal to JSON and sets it on the X-Unkey-Principal header before forwarding to the instance. The instance reads this header to make authorization decisions without re-verifying the credential. The proxy handler strips any incoming X-Unkey-Principal header before policy evaluation to prevent clients from spoofing an authenticated identity.

Overview

Services

RFCs

Fields

What a principal looks like

KeyAuth source fields

Header propagation

Overview

Services

RFCs

Documentation Index

​Fields

​What a principal looks like

​KeyAuth source fields

​Header propagation

Fields

What a principal looks like

KeyAuth source fields

Header propagation