Kitta Audio Docs
API Reference

Authentication

Authenticate FishSpeech Open API requests.

CN API paths use a separate contract

This English reference describes the global FishAudio Open API. For Kitta Audio China integrations, use the CN API Reference, API Playground, and API Keys in this site.

Authentication

FishSpeech Open API requests use bearer API keys. The API key identifies the account, permission scope, quota, and billing context for the request.

Authorization: Bearer FISHSPEECH_API_KEY

Create and manage API keys in your account:

/en/account?section=api

Request Rules

Every Open API request must include the Authorization header. JSON requests should also include Content-Type: application/json. Multipart endpoints should let your HTTP client set the multipart boundary.

curl https://fishaudio.org/api/open/v1/profile \
  -H "Authorization: Bearer FISHSPEECH_API_KEY"

Do not send API keys from browser JavaScript, mobile apps, public repos, logs, analytics events, or customer-visible error messages. Treat the API key like a password for your production account.

API Key Storage

Store the API key in a server-side secret manager or encrypted environment variable. Load it at process start and pass it only to the HTTP client that talks to FishSpeech. If you run background workers, give workers the same secret through your deployment platform rather than copying it into job payloads.

Rotate API keys when a team member leaves, when a build log may have exposed a secret, or when you move an integration from staging to production. After rotation, deploy the new API key first, verify traffic, then revoke the old API key.

Response And Error Handling

Authentication failures return JSON errors when the request reaches the API layer.

StatusMeaningAction
401API key is missing, malformed, revoked, or belongs to a disabled accountStop retries and refresh the configured API key
402Credits or API quota are insufficientPrompt the account owner to top up or reduce batch size
429Request is rate limitedRetry with backoff and keep the original job id when possible

Log requestId from error responses. It lets support locate the exact request without asking you to share API keys or raw payloads.

Billing And Credits

Authentication itself does not consume credits. Authenticated media endpoints may reserve or consume credits depending on the endpoint. A valid API key therefore does not guarantee that a generation request will succeed; your application should separately handle balance and quota errors.

Continue with runnable API checks

Docs and executable requests stay in the same CN-site surface. After reading the reference, open the API Playground for curl examples or manage API keys in the developer workspace.

On this page