rules:
  - name: Unkey Root Key
    id: kingfisher.unkey.1
    pattern: |
      (?x)
      \b
      (
        unkey_[A-Za-z0-9]{20,32}
      )
      \b
    pattern_requirements:
      min_digits: 1
      min_uppercase: 1
      min_lowercase: 1
    min_entropy: 3.5
    confidence: medium
    examples:
      - 'UNKEY_ROOT_KEY=unkey_3ZVfA2xpgBS9WJjN4m8ApeJg'
      - 'Authorization: Bearer unkey_3ZV3tmPyoE5mmf1P6EHFJfG3'
      - 'unkey_root_key = "unkey_3ZV4z6rNpDCjmyadJH1MttTh"'
    validation:
      type: Http
      content:
        request:
          method: POST
          url: https://api.unkey.com/v2/keys.verifyKey
          headers:
            Authorization: "Bearer {{ TOKEN }}"
            Content-Type: application/json
          body: '{"key":"invalid_key_test"}'
          response_matcher:
            - report_response: true
            - type: StatusMatch
              status: [200, 403]
            - type: WordMatch
              words: 
                - '"Unauthorized"'
              negative: true
              match_all_words: false
    # Root keys cannot be revoked via API; use Settings → Root Keys in the Unkey dashboard.
    references:
      - https://www.unkey.com/docs/security/root-keys
      - https://www.unkey.com/docs/api-reference/v2/auth
      - https://www.unkey.com/docs/api-reference/v2/keys/verify-api-key

  - name: Unkey API Key (key_ prefix)
    id: kingfisher.unkey.2
    pattern: |
      (?x)
      \b
      (
        key_[A-Za-z0-9]{10,48}
      )
      \b
    pattern_requirements:
      min_digits: 1
      min_uppercase: 1
      min_lowercase: 1
    min_entropy: 3.5
    confidence: medium
    examples:
      - 'UNKEY_API_KEY=key_KH1V87o2X2GW'
      - 'x-api-key: key_KH1V87o2X2GW'
      - 'Authorization: Bearer key_KH1V87o2X2GW'
    # Revocation requires a root key with api.*.delete_key permission.
    # Pass via: --var UNKEY_ROOT_KEY=unkey_xxx
    revocation:
      type: Http
      content:
        request:
          method: POST
          url: https://api.unkey.com/v2/keys.deleteKey
          headers:
            Authorization: "Bearer {{ UNKEY_ROOT_KEY }}"
            Content-Type: application/json
          body: '{"keyId":"{{ TOKEN | json_escape }}","permanent":false}'
          response_matcher:
            - report_response: true
            - type: StatusMatch
              status: [200]
    references:
      - https://www.unkey.com/docs/api-reference/v2/keys/create-api-key
      - https://www.unkey.com/docs/api-reference/v2/keys/verify-api-key
      - https://www.unkey.com/docs/api-reference/v2/keys/delete-api-keys

  - name: Unkey API Key Secret (creation-only plaintext)
    id: kingfisher.unkey.3
    pattern: |
      (?xi)
      unkey
      (?:_(?:secret|plaintext|key|create)){1,3}
      \s* [=:] \s*
      ['"]?
      (?P<secret>[A-Za-z0-9]{20,48})
      ['"]?
      \b
    pattern_requirements:
      min_digits: 1
      min_uppercase: 1
      min_lowercase: 1
    min_entropy: 3.5
    confidence: medium
    examples:
      - 'unkey_secret = "3Zem2ZG4U1rsRiMSxy6pBjvZ"'
      - 'UNKEY_KEY_SECRET: 3Zem2ZG4U1rsRiMSxy6pBjvZ'
    references:
      - https://www.unkey.com/docs/api-reference/v2/keys/create-api-key