> ## Documentation Index
> Fetch the complete documentation index at: https://docs.chariot.in/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> How to authenticate requests to the Chariot API with your API key.

Every request to the Chariot API is authenticated with an API key sent in the `chariotai-api-key` header.

```bash theme={null}
curl https://api.chariot.in/v1/credits \
  -H "chariotai-api-key: YOUR_API_KEY"
```

Generate and manage keys from the [Chariot dashboard](https://chariot.in). A key is bound to your workspace, so requests draw on that workspace's credits and plan limits.

## Key types

| Type        | Use it for                                            | Origin restriction                                   |
| ----------- | ----------------------------------------------------- | ---------------------------------------------------- |
| **Private** | Server-side code. Full access to your workspace.      | None, never expose it in a browser.                  |
| **Public**  | Browser or client-side code where the key is visible. | Restricted to an allowlist of origins you configure. |

<Warning>
  Treat a private key like a password. Anyone with it can spend your credits and manage your voices. Store it in a secret manager or environment variable, never in client-side code or version control. If a key leaks, rotate it from the dashboard.
</Warning>

## Public keys and allowed origins

Public keys are meant for front-end use where the key is unavoidably visible. To contain the blast radius, a public key only works when the request comes from an origin on its allowlist. A request from any other origin is rejected:

```json theme={null}
{
  "statusCode": 401,
  "error": "UnauthorizedException",
  "message": "Unauthorized request!"
}
```

Configure the allowed origins for a public key in the dashboard.

## Authentication errors

All authentication failures return `401` with the standard error envelope:

| Message                                   | Cause                                                |
| ----------------------------------------- | ---------------------------------------------------- |
| `No API key or user credentials provided` | The `chariotai-api-key` header is missing.           |
| `Invalid API Key or user credentials`     | The key is unknown or malformed.                     |
| `API Key expired`                         | The key has passed its expiry.                       |
| `Unauthorized request!`                   | A public key was used from a non-allowlisted origin. |

See [Errors & status codes](/guides/resources/errors) for the full envelope and other status codes.

## Which endpoints accept API keys

API keys authenticate the public product endpoints, text-to-speech, voices, and account/credits. Dashboard-only actions such as account signup, billing, and workspace administration are handled through the Chariot web app and are not part of this API.
