Authentication
All requests to Inworld’s APIs must include an API key in an Authorization HTTP header. All APIs supports both Basic and JWT authentication.
Getting an API key
To get an API key, follow these steps:
- Log in to Inworld Portal.
- Click API Keys on the bottom left sidebar.
- Click Generate new key to generate a new API key.
- Copy the Basic (Base64) authorization signature.
You can also specify for each API key whether it has permissions to write to the Voice API, which enables the API key to be used for cloning voices via the Voice API. These permissions do not impact other APIs (such as Text-to-Speech and LLM).
Basic authentication
Do not expose your Base64 API credentials in client-side code (browsers, apps, game builds), as it may be compromised. Please consider JWT authentication for client-side builds.
Authorization: Basic $INWORLD_BASE64_CREDENTIALS
JWT authentication
JWT (JSON Web Token) authentication allows you to issue a signed token from your server that clients can use to securely authenticate with Inworld APIs. This method is strongly recommended when calling APIs from client-side code, to avoid exposing your credentials.
How it works:
- Your backend securely stores the Inworld Runtime API Key and Secret.
- When the client needs to authenticate, it requests a token from your backend.
- Your backend uses the API key and secret to generate a signed JWT and returns it to the client.
- The client uses this JWT with each API request to Inworld:
Authorization: Bearer $JWT
