Authenticate your client apps
You may want to make Cartesia API requests directly from your client application. However, shipping your API key to the app is not secure, as a malicious user could extract your API key and issue API requests billed to your account.
Access Tokens provide a secure way to authenticate client-side requests to Cartesia’s APIs without exposing your API key.
Prerequisites
Before implementing Access Tokens:
- Configure your server with a Cartesia API key
- Implement user authentication in your application
- Establish secure client-server communication
Available Grants
Currently we only support one grant, tts
. With grants: { tts: true }
, clients have access to:
/tts/bytes
- Synchronous TTS generation streamed with chunked encoding/tts/sse
- Server-sent events for streaming/tts/websocket
- WebSocket-based streaming
Coming Soon: Additional grants for
/voices
,/voice-changer
, and other services
Implementation Guide
1. Token Generation (Server-side)
Make a request to generate a new access token:
cURL
JavaScript
Python
Example Implementation
For detailed API specifications, see the Token API Reference.
2. Token Storage (Client-side)
Store the token securely, such as setting HTTP-only cookie with matching token expiration. The cookie should be httpOnly
, secure
, and sameSite: "strict"
.
3. Making Authenticated Requests
4. Token Refresh Strategy
Proactively refresh the token in your app before they expire.
Security Best Practices
Essential Guidelines
- ✅ Generate tokens server-side only
- ✅ Use short token lifetimes (minutes)
- ✅ Implement automatic token refresh
- ✅ Store tokens in HTTP-only cookies
- ✅ Enable secure and SameSite cookie flags
Security Don’ts
- ❌ Never store tokens in localStorage/sessionStorage
- ❌ Never log tokens or display them in the UI
- ❌ Never transmit tokens over non-HTTPS connections
Token Lifecycle Management
- Generate new token upon user authentication
- Implement automatic refresh before expiration
- Handle token expiration gracefully
Additional Resources
- API Reference - Access Token generation endpoint documentation