All API requests to SM-AI-MODELS must be authenticated using an API key. This ensures only authorized clients can access the Text-to-Speech and Speech Recognition services.
On-Premise Deployments: If your instance is deployed within a private network without authentication enabled, you may skip API key headers. Check with your system administrator.
API Key
Include your API key in the X-API-Key header of every request:
Code
Alternatively, you can use the Authorization header with a Bearer token:
Code
Obtaining Your API Key
Contact your Unicode account manager or system administrator to receive your API credentials. Each API key is scoped to your organization and may include:
- Rate limit tier — Determines requests per minute
- Service access — TTS only, ASR only, or both
- Voice access — Which voices are available to your key
Rate Limits
Each API key has rate limits to ensure fair usage:
| Limit | Default | Description |
|---|---|---|
| RPM | 60 | Requests per minute |
| TPM | 50,000 | Tokens per minute |
| TPD | 1,000,000 | Tokens per day |
| Concurrent | 5 | Maximum concurrent connections |
Rate limit headers are included in API responses:
Code
When rate limited, the API returns:
Code
Using the API Key
cURL
Code
Python
Code
Node.js
Code
Environment Variables
Never hardcode API keys in your source code. Use environment variables:
Code
Code
Code
Security Best Practices
| Practice | Description |
|---|---|
| Never commit keys | Add .env to .gitignore |
| Rotate regularly | Rotate API keys every 90 days |
| Use server-side only | Never expose keys in frontend/browser code |
| Scope access | Request minimum required permissions |
| Monitor usage | Review API usage logs for anomalies |
| Use HTTPS | Always use TLS in production |
Security Headers
The API returns the following security headers on all responses:
| Header | Value | Purpose |
|---|---|---|
X-Content-Type-Options | nosniff | Prevents MIME-type sniffing |
X-Frame-Options | DENY | Prevents clickjacking |
X-XSS-Protection | 1; mode=block | Enables XSS filter |
Strict-Transport-Security | max-age=31536000; includeSubDomains | Enforces HTTPS |
Referrer-Policy | strict-origin-when-cross-origin | Controls referrer information |
Permissions-Policy | microphone=(), camera=() | Restricts browser permissions |
WebSocket Authentication
For WebSocket connections, send the API key as the first message after connecting:
Code
Python example:
Code
JavaScript example:
Code
Authentication Errors
| Status | Error Code | Description |
|---|---|---|
401 | unauthorized | Missing or invalid API key |
403 | forbidden | API key lacks permission for this resource |
403 | voice_not_allowed | API key does not have access to requested voice |
Code
Transport Security (TLS)
All API connections use TLS encryption. SM-AI-MODELS enforces TLS 1.3 as the minimum protocol version.
| Protocol | TLS Requirement |
|---|---|
| REST / WebSocket | HTTPS / WSS (TLS 1.3+) |
| gRPC | TLS 1.3+ via ssl_channel_credentials() |
Python (gRPC):
Code
Custom certificates (self-signed or private CA):
Code
On-Premise: For deployments using private CAs, pass your CA certificate to the client. See your administrator for certificate details.
gRPC Authentication
For gRPC connections, pass the API key as metadata using the x-api-key header:
Code
Alternatively, use the authorization header with Bearer token:
Code
Code