Available Restrictions and Features

Safe Handling of API Keys

API keys can be misused if leaked. Embedding API keys in applications may allow malicious third parties to extract them. In general, do not send your API keys to machines of application users. It is recommended to use restricted API keys to minimize the impact even if they are leaked.

caution

• Especially for web applications, avoid writing API keys in HTML or JavaScript as they can be viewed by website users.
• If embedding API keys in applications is unavoidable, obfuscate or encrypt them. This makes it more difficult to extract API keys from applications.
• API keys that accounts created before the MyPage renewal on 2025/06/30 initially possess cannot be deleted. To delete them, you need to cancel your membership and create a new account.
• API keys issued on MyPage after the MyPage renewal on 2025/06/30 can be manually deleted on MyPage.
• API keys issued using the API Key Issuance API cannot be deleted.

Restrictions and Features That Can Be Applied to API Keys

When issuing a new API key, you can apply the following restrictions and features. Here we explain the characteristics of each. For how to apply them, please see How to Issue API Keys. Note that these cannot be applied to already issued API keys.

• Expiration Date
• IP Address Restriction
• API Key Issuance Feature

Expiration Date

An expiration date can be set for API keys. This can be applied when issuing on MyPage or using the API Key Issuance API.

When specifying the expiration, you can either set a specific date or specify a valid period in days, etc. By not setting an expiration date, you can issue an API key with no time limit.

Using API Keys with Expiration Dates in the Asynchronous HTTP Interface

When using API keys with expiration dates in the Asynchronous HTTP interface, set the expiration date sufficiently far in the future. Typically, it takes a few minutes for speech recognition to start. Also, in rare cases during congestion, it may pause once and restart, requiring authentication even during recognition.

Note that for the Asynchronous HTTP interface, it is possible to use different API keys (but from the same account) for creating a speech recognition job and for checking the job status or retrieving results.

IP Address Restriction

API keys can be restricted to be usable only when accessed from specific IP addresses. This can be applied when issuing on MyPage or using the API Key Issuance API.

You can specify a single IP address, multiple IP addresses, or a range of IP addresses.

API Key Issuance Feature

A feature can be added to API keys allowing them to be used for authentication in place of the service ID (sid) and service password (spw) when making requests to the API Key Issuance API. This can only be applied when issuing API keys on MyPage.

In case the authentication information used with the API Key Issuance API is leaked, the service ID and service password cannot be changed. If you absolutely need to change them, you must cancel your membership and create a new account. On the other hand, API keys issued on MyPage can be deleted. Also, since expiration dates and IP address restrictions can be set for API keys, you can use the API Key Issuance API more securely.