Documentation

Authentication

Authenticate every request with your client ID and secret.

Supported headers

The gateway accepts bearer tokens, basic auth, and explicit client headers. Create credentials in Platform → Settings → Organization → API keys. Each request is validated against the Auth service, including any IP allowlists.

Authorization: Bearer <clientId>:<clientSecret>

Choose one format per request.

Scopes and entitlements

Each API key carries scopes and feature flags that gate endpoint access. Chat completions require chat:send. Audio and avatar endpoints require avatar:interact or avatar:use.

If a request lacks required entitlements, the gateway responds with ACCESS_DENIED and includes the X-Entitlement-Required header.

Tip

Keep keys scoped to the minimum required features for each service or environment.

WebSocket authentication

WebSocket upgrades validate the same headers used for HTTP. Provide credentials during the initial upgrade request to stream audio or avatar data.

Example: wss://<gateway-host>/v1/audio/transcriptions/stream with Authorization: Bearer ...

Browser WebSockets cannot set custom headers. For browser apps, proxy streaming through your backend.

Was this page helpful?