> ## Documentation Index
> Fetch the complete documentation index at: https://docs.rime.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# API authentication

> How to authenticate with the Rime TTS API using a bearer token.

All requests to the Rime API are authenticated with a **bearer token** in the `Authorization` header.

## Get an API key

1. Sign in at [app.rime.ai](https://app.rime.ai).
2. Open the [API Tokens page](https://app.rime.ai/tokens).
3. Create a new token and copy the value. Treat it like a password — anyone with the token can synthesize speech against your account.

## Use the token

Set the `Authorization` header on every request:

```bash theme={null}
curl --request POST \
  --url https://users.rime.ai/v1/rime-tts \
  --header 'Authorization: Bearer YOUR_API_KEY' \
  --header 'Content-Type: application/json' \
  --header 'Accept: audio/mpeg' \
  --data '{"speaker":"astra","text":"hello","modelId":"coda","language":"en"}'
```

The same header is used for the HTTP endpoint, the WebSocket endpoints, and the metadata/utility endpoints.

## CLI authentication

The `rime` CLI manages your key for you. Run [`rime login`](/cli-reference/rime-auth) once and the CLI stores it at `~/.rime/rime.toml`. You can also set it explicitly via the `RIME_CLI_API_KEY` environment variable.

## On-prem authentication

On-prem deployments accept the same `Authorization: Bearer …` header. You can also pre-configure a key at the deployment level using the `RIME_API_KEY` environment variable, so callers don't need to send the header at all. See [the on-prem quickstart](/docs/on-prem/quickstart) for details.

## Common auth errors

If your request fails authentication, the API returns `401 Unauthorized` with a short plain-text body explaining why:

| Status | Body              | Cause                                                                    |
| :----- | :---------------- | :----------------------------------------------------------------------- |
| `401`  | `missing headers` | No `Authorization` header was sent.                                      |
| `401`  | `invalid api key` | The token is not recognized, or it was sent without the `Bearer` scheme. |

Always send the header as `Authorization: Bearer <token>` (capital `B`). The token alone, without `Bearer`, is rejected.

## Related

* [Quickstart: TTS in five minutes](/docs/quickstart-five-minute)
* [API reference index](/docs/api-reference)
* [CLI authentication commands](/cli-reference/rime-auth)