Authentication
Learn how to authenticate your requests to the Nineninesix API.
All API requests require an API key. Keys are scoped to a project within your organization.
API Keys
API keys follow the format sk_996_<prefix>_<secret> and are created from your dashboard.
API keys are shown only once at creation. Store them securely — we only keep a hash on our end.
Using Your Key
Pass the key as a Bearer token (or in the X-API-Key header):
Authorization: Bearer sk_996_your_api_keyFor WebSocket connections that can't set headers, pass the key as a query parameter: ?api_key=sk_996_....
Full Example
curl -N https://api.nineninesix.ai/tts/bytes \
-H "Authorization: Bearer sk_996_your_api_key" \
-H "Content-Type: application/json" \
-d '{"model_id":"gepard-1.0","transcript":"Hello!","voice":{"mode":"id","id":"<voice-id>"},"output_format":{"container": "wav", "encoding": "pcm_s16le", "sample_rate": 22050}}'With an SDK
from cartesia import Cartesia
client = Cartesia(
api_key="sk_996_your_api_key",
base_url="https://api.nineninesix.ai",
)import { Cartesia } from "@cartesia/cartesia-js";
const client = new Cartesia({
apiKey: "sk_996_your_api_key",
baseURL: "https://api.nineninesix.ai",
});Security Best Practices
- Never expose keys in client-side code — always call the API from your server
- Use environment variables to store keys (e.g.
NINENINESIX_API_KEY) - Rotate keys regularly — revoke old keys and generate new ones from the dashboard
- Use separate keys for development and production
Key Management
You can manage your API keys from the API Keys page:
- Create — generate a new key with a descriptive name
- Revoke — immediately disable a key (cannot be undone)
- Monitor — see when each key was last used