Every request to the Chariot API is authenticated with an API key sent in the chariotai-api-key header.
curl https://api.chariot.in/v1/credits \
-H "chariotai-api-key: YOUR_API_KEY"
Generate and manage keys from the Chariot dashboard. A key is bound to your workspace, so requests draw on that workspace’s credits and plan limits.
Key types
| Type | Use it for | Origin restriction |
|---|
| Private | Server-side code. Full access to your workspace. | None, never expose it in a browser. |
| Public | Browser or client-side code where the key is visible. | Restricted to an allowlist of origins you configure. |
Treat a private key like a password. Anyone with it can spend your credits and manage your voices. Store it in a secret manager or environment variable, never in client-side code or version control. If a key leaks, rotate it from the dashboard.
Public keys and allowed origins
Public keys are meant for front-end use where the key is unavoidably visible. To contain the blast radius, a public key only works when the request comes from an origin on its allowlist. A request from any other origin is rejected:
{
"statusCode": 401,
"error": "UnauthorizedException",
"message": "Unauthorized request!"
}
Configure the allowed origins for a public key in the dashboard.
Authentication errors
All authentication failures return 401 with the standard error envelope:
| Message | Cause |
|---|
No API key or user credentials provided | The chariotai-api-key header is missing. |
Invalid API Key or user credentials | The key is unknown or malformed. |
API Key expired | The key has passed its expiry. |
Unauthorized request! | A public key was used from a non-allowlisted origin. |
See Errors & status codes for the full envelope and other status codes.
Which endpoints accept API keys
API keys authenticate the public product endpoints, text-to-speech, voices, and account/credits. Dashboard-only actions such as account signup, billing, and workspace administration are handled through the Chariot web app and are not part of this API.