Authentication
Authenticate FishSpeech Open API requests.
Authentication
FishSpeech Open API requests use bearer API tokens. The token identifies the account, permission scope, quota, and billing context for the request.
Authorization: Bearer YOUR_API_TOKENCreate and manage tokens in your account:
/en/account?section=apiRequest Rules
Every Open API request must include the Authorization header. JSON requests should also include Content-Type: application/json. Multipart endpoints should let your HTTP client set the multipart boundary.
curl https://fishaudio.org/api/open/v1/profile \
-H "Authorization: Bearer YOUR_API_TOKEN"Do not send tokens from browser JavaScript, mobile apps, public repos, logs, analytics events, or customer-visible error messages. Treat the token like a password for your production account.
Token Storage
Store the token in a server-side secret manager or encrypted environment variable. Load it at process start and pass it only to the HTTP client that talks to FishSpeech. If you run background workers, give workers the same secret through your deployment platform rather than copying it into job payloads.
Rotate tokens when a team member leaves, when a build log may have exposed a secret, or when you move an integration from staging to production. After rotation, deploy the new token first, verify traffic, then revoke the old token.
Response And Error Handling
Authentication failures return JSON errors when the request reaches the API layer.
| Status | Meaning | Action |
|---|---|---|
401 | Token is missing, malformed, revoked, or belongs to a disabled account | Stop retries and refresh the configured token |
402 | Credits or API quota are insufficient | Prompt the account owner to top up or reduce batch size |
429 | Request is rate limited | Retry with backoff and keep the original job id when possible |
Log requestId from error responses. It lets support locate the exact request without asking you to share tokens or raw payloads.
Billing And Credits
Authentication itself does not consume credits. Authenticated media endpoints may reserve or consume credits depending on the endpoint. A valid token therefore does not guarantee that a generation request will succeed; your application should separately handle balance and quota errors.