Skip to main content
Every request to the Chariot API is authenticated with an API key sent in the chariotai-api-key header.
curl https://api.chariot.in/v1/credits \
  -H "chariotai-api-key: YOUR_API_KEY"
Generate and manage keys from the Chariot dashboard. A key is bound to your workspace, so requests draw on that workspace’s credits and plan limits.

Key types

TypeUse it forOrigin restriction
PrivateServer-side code. Full access to your workspace.None, never expose it in a browser.
PublicBrowser or client-side code where the key is visible.Restricted to an allowlist of origins you configure.
Treat a private key like a password. Anyone with it can spend your credits and manage your voices. Store it in a secret manager or environment variable, never in client-side code or version control. If a key leaks, rotate it from the dashboard.

Public keys and allowed origins

Public keys are meant for front-end use where the key is unavoidably visible. To contain the blast radius, a public key only works when the request comes from an origin on its allowlist. A request from any other origin is rejected:
{
  "statusCode": 401,
  "error": "UnauthorizedException",
  "message": "Unauthorized request!"
}
Configure the allowed origins for a public key in the dashboard.

Authentication errors

All authentication failures return 401 with the standard error envelope:
MessageCause
No API key or user credentials providedThe chariotai-api-key header is missing.
Invalid API Key or user credentialsThe key is unknown or malformed.
API Key expiredThe key has passed its expiry.
Unauthorized request!A public key was used from a non-allowlisted origin.
See Errors & status codes for the full envelope and other status codes.

Which endpoints accept API keys

API keys authenticate the public product endpoints, text-to-speech, voices, and account/credits. Dashboard-only actions such as account signup, billing, and workspace administration are handled through the Chariot web app and are not part of this API.