Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.inworld.ai/llms.txt

Use this file to discover all available pages before exploring further.

Authentication

All requests to Inworld’s APIs must include an API key in an Authorization HTTP header. All APIs support both Basic and JWT authentication.

Getting an API key

To get an API key, follow these steps:
  1. Log in to Inworld Portal.
  2. Click API Keys on the bottom left sidebar.
  3. Click Generate new key to generate a new API key.
  4. Copy the Basic (Base64) authorization signature.
Get API Key You can also specify for each API key whether it has write permissions to:
  • Voice API, which enables the API key to be used for POST, PATCH, and DELETE endpoints (clone voice, update voice, delete voice). GET endpoints only require read permissions.
  • Router API, which enables the API key to be used for POST, PATCH, and DELETE endpoints (create router, update router, delete router). GET endpoints only require read permissions.
Router API Key Permissions These permissions do not impact other APIs (such as Text-to-Speech and LLM).

Basic authentication

Do not expose your Base64 API credentials in client-side code (browsers, apps, game builds), as it may be compromised. Please consider JWT authentication for client-side builds.
Basic authentication uses the Base64 encoded credentials to authenticate the request. Below is an example of the header for Basic authentication: 
Authorization: Basic $INWORLD_API_KEY
Make sure to keep your Base64 credentials safe, as anyone with your credentials can make requests on your behalf. It is recommended that credentials are stored as environment variables and read at run time.

JWT authentication

JWT (JSON Web Token) authentication allows you to issue a signed token from your server that clients can use to securely authenticate with Inworld APIs. This method is strongly recommended when calling APIs from client-side code, to avoid exposing your credentials. How it works:
  1. Your backend securely stores the Inworld API Key and Secret.
  2. When the client needs to authenticate, it requests a token from your backend.
  3. Your backend uses the API key and secret to generate a signed JWT and returns it to the client.
  4. The client uses this JWT with each API request to Inworld:
Authorization: Bearer $JWT
We recommend taking a look at this sample Node.js application for an example of how to generate JWT tokens for authentication with the Inworld API.