Authentication

Authentication

Every REST API request is authenticated with two credentials sent as headers:

• X-API-Key — your website's public identifier.
• X-API-Secret — your non-public server credential.

Both must be sent together:

curl https://texttospeech.responsivevoice.org/v2/voices \
  -H "X-API-Key: YOUR_API_KEY" \
  -H "X-API-Secret: YOUR_API_SECRET"

Getting your credentials

Both live in your website's settings in the ResponsiveVoice dashboard (no account yet? sign up):

• API key — shown in the "Your site code" snippet (key: XXXXX).
• API secret — created under "Server-to-server API secrets". It is shown only once when generated, so copy it immediately; you can revoke it there at any time.

Caution

The API secret is a credential — keep it server-side. Never embed it in browser code or commit it to source control. Browser apps use the @responsivevoice/core SDK, which authenticates by origin and does not need the secret.