Get Started

Authentication

Authenticate your API requests using API keys

Overview

All API requests require a valid API key in the Authorization header:

Authorization: Bearer YOUR_API_KEY

Without this header, requests return 401 Unauthorized.

Getting an API key

  1. Sign in to the Speechify Console
  2. Navigate to API Keys
  3. Copy your default key, or create a new one

Set the SPEECHIFY_API_KEY environment variable and our SDKs will authenticate automatically — no need to pass the key in code.

Using API keys

1from speechify import Speechify
2
3# Option 1: Automatic (reads SPEECHIFY_API_KEY env var)
4client = Speechify()
5
6# Option 2: Explicit
7client = Speechify(api_key="your-api-key")

Security best practices

API keys grant full access to your account, including creating/deleting voices and generating audio at your expense. Treat them like passwords.

Do

  • Store keys in environment variables or secret managers
  • Use server-side code to make API calls
  • Add .env to your .gitignore
  • Rotate keys periodically via the Console

Don’t

  • Embed keys in client-side code (JavaScript bundles, mobile apps)
  • Commit keys to version control, even in private repos
  • Share keys over unencrypted channels

Platform-specific secret management

PlatformDocumentation
VercelEnvironment Variables
NetlifyEnvironment Variables
Google CloudSecret Manager
AWSSecrets Manager

Server-side proxy pattern

If your frontend needs to call the API, set up a server-side proxy instead of exposing the key:

Client  →  Your Server (adds API key)  →  Speechify API

Always authenticate your own users before proxying requests. An open proxy allows anyone to make API calls at your expense.

Key considerations:

  • Create specific proxy endpoints (not a wildcard passthrough)
  • Validate and sanitize inputs before forwarding
  • Add rate limiting to prevent abuse

Error responses

StatusMeaningAction
401 UnauthorizedMissing or invalid API keyCheck your Authorization header
402 Payment RequiredInsufficient balanceAdd funds to your account
429 Too Many RequestsRate or concurrency limit exceededBack off and retry after the Retry-After header value

Access Tokens were previously available for client-side authentication via the POST /v1/auth/token endpoint. This method is now deprecated.

All applications should use API keys with a server-side proxy pattern instead. If you’re currently using Access Tokens, migrate to API keys at your earliest convenience.

For reference, the legacy endpoint documentation is available in the API Reference.