Authentication
Authenticate FishSpeech Open API requests.
CN API paths use a separate contract
This English reference describes the global FishAudio Open API. For Kitta Audio China integrations, use the CN API Reference, API Playground, and API Keys in this site.
Authentication
FishSpeech Open API requests use bearer API keys. The API key identifies the account, permission scope, quota, and billing context for the request.
Authorization: Bearer FISHSPEECH_API_KEYCreate and manage API keys in your account:
/en/account?section=apiRequest Rules
Every Open API request must include the Authorization header. JSON requests should also include Content-Type: application/json. Multipart endpoints should let your HTTP client set the multipart boundary.
curl https://fishaudio.org/api/open/v1/profile \
-H "Authorization: Bearer FISHSPEECH_API_KEY"Do not send API keys from browser JavaScript, mobile apps, public repos, logs, analytics events, or customer-visible error messages. Treat the API key like a password for your production account.
API Key Storage
Store the API key in a server-side secret manager or encrypted environment variable. Load it at process start and pass it only to the HTTP client that talks to FishSpeech. If you run background workers, give workers the same secret through your deployment platform rather than copying it into job payloads.
Rotate API keys when a team member leaves, when a build log may have exposed a secret, or when you move an integration from staging to production. After rotation, deploy the new API key first, verify traffic, then revoke the old API key.
Response And Error Handling
Authentication failures return JSON errors when the request reaches the API layer.
| Status | Meaning | Action |
|---|---|---|
401 | API key is missing, malformed, revoked, or belongs to a disabled account | Stop retries and refresh the configured API key |
402 | Credits or API quota are insufficient | Prompt the account owner to top up or reduce batch size |
429 | Request is rate limited | Retry with backoff and keep the original job id when possible |
Log requestId from error responses. It lets support locate the exact request without asking you to share API keys or raw payloads.
Billing And Credits
Authentication itself does not consume credits. Authenticated media endpoints may reserve or consume credits depending on the endpoint. A valid API key therefore does not guarantee that a generation request will succeed; your application should separately handle balance and quota errors.
Continue with runnable API checks
Docs and executable requests stay in the same CN-site surface. After reading the reference, open the API Playground for curl examples or manage API keys in the developer workspace.