FishSpeech Docs
API Reference

Authentication

Authenticate FishSpeech Open API requests.

Authentication

FishSpeech Open API requests use bearer API tokens. The token identifies the account, permission scope, quota, and billing context for the request.

Authorization: Bearer YOUR_API_TOKEN

Create and manage tokens in your account:

/en/account?section=api

Request Rules

Every Open API request must include the Authorization header. JSON requests should also include Content-Type: application/json. Multipart endpoints should let your HTTP client set the multipart boundary.

curl https://fishaudio.org/api/open/v1/profile \
  -H "Authorization: Bearer YOUR_API_TOKEN"

Do not send tokens from browser JavaScript, mobile apps, public repos, logs, analytics events, or customer-visible error messages. Treat the token like a password for your production account.

Token Storage

Store the token in a server-side secret manager or encrypted environment variable. Load it at process start and pass it only to the HTTP client that talks to FishSpeech. If you run background workers, give workers the same secret through your deployment platform rather than copying it into job payloads.

Rotate tokens when a team member leaves, when a build log may have exposed a secret, or when you move an integration from staging to production. After rotation, deploy the new token first, verify traffic, then revoke the old token.

Response And Error Handling

Authentication failures return JSON errors when the request reaches the API layer.

StatusMeaningAction
401Token is missing, malformed, revoked, or belongs to a disabled accountStop retries and refresh the configured token
402Credits or API quota are insufficientPrompt the account owner to top up or reduce batch size
429Request is rate limitedRetry with backoff and keep the original job id when possible

Log requestId from error responses. It lets support locate the exact request without asking you to share tokens or raw payloads.

Billing And Credits

Authentication itself does not consume credits. Authenticated media endpoints may reserve or consume credits depending on the endpoint. A valid token therefore does not guarantee that a generation request will succeed; your application should separately handle balance and quota errors.

On this page