Skip to main content
Every request to the TranscriptMagic API requires an API key, passed in the Authorization header. Each successful call deducts 1 credit from your account balance.

The header

Authorization: Bearer sk_live_your_api_key_here
That’s the whole protocol. No OAuth dance, no signed requests, no nonces. All keys begin with the sk_live_ prefix.

Getting a key

Create, view, and rotate keys on the API keys page in the dashboard. You can have multiple active keys at once — useful for separating environments (staging vs. production) or scoping access to a specific service.

Rotation and revocation

Revocation is instant. The moment you delete a key in the dashboard, every in-flight request using it returns 401 Unauthorized. Recommended pattern for rotation:
  1. Create the new key.
  2. Deploy the new key to your environment.
  3. Confirm requests succeed with the new key.
  4. Delete the old key.

What requires auth

Every endpoint under /api/ requires a valid bearer token starting with sk_live_. Requests without the header (or with a non-sk_live_ token) fall through to the anonymous code path and return 400 for missing device ID. Requests with a malformed or revoked sk_live_ key return 401 Unauthorized with body: 
{ "error": "Invalid API key" }
Once authenticated, requests against an account with no remaining credits return 403 Forbidden: 
{
  "error": "no_credits",
  "credits": 0,
  "message": "Out of credits. Please upgrade to continue."
}
Note that the error field is the machine-readable slug "no_credits", not a sentence — match on it programmatically. See errors for the full list.

Treat keys like secrets

API keys grant access to your credit balance. Keep them out of client-side code, public repos, and screenshots. Use environment variables or a secret manager. If you suspect a key is compromised, delete it immediately in the dashboard and create a new one.