Authenticate to the Speech API

Speech Service supports authentication by using:

  • A subscription key.
  • An authorization token.

Use a subscription key

To use Speech Service, you must first subscribe to the Speech API that's part of Cognitive Services (previously Project Oxford). You can get free trial subscription keys from the Cognitive Services subscription page. After you select the Speech API, select Get API Key to get the key. It returns a primary and secondary key. Both keys are tied to the same quota, so you can use either key.

For long-term use or an increased quota, sign up for an Azure account.

To use the Speech REST API, you need to pass the subscription key in the Ocp-Apim-Subscription-Key field in the request header.

Name Format Description

The following is an example of a request header:

Accept: application/json;text/xml
Content-Type: audio/wav; codec=audio/pcm; samplerate=16000
Ocp-Apim-Subscription-Key: YOUR_SUBSCRIPTION_KEY
Transfer-Encoding: chunked
Expect: 100-continue


If you use client libraries in your application, verify that you can get the authorization token with your subscription key, as described in the following section. The client libraries use the subscription key to get an authorization token and then use the token for authentication.

Use an authorization token

Alternatively, you can use an authorization token for authentication as proof of authentication/authorization. To get this token, you must first obtain a subscription key from the Speech API, as described in the preceding section.

Get an authorization token

After you have a valid subscription key, send a POST request to the token service of Cognitive Services. In the response, you receive the authorization token as a JSON Web Token (JWT).


The token has an expiration of 10 minutes. To renew the token, see the following section.

The token service URI is located here:

The following code sample shows how to get an access token. Replace YOUR_SUBSCRIPTION_KEY with your own subscription key:

$FetchTokenHeader = @{
  'Content-Length'= '0';
  'Ocp-Apim-Subscription-Key' = 'YOUR_SUBSCRIPTION_KEY'

$OAuthToken = Invoke-RestMethod -Method POST -Uri -Headers $FetchTokenHeader

# show the token received

The following is a sample POST request:

Ocp-Apim-Subscription-Key: YOUR_SUBSCRIPTION_KEY
Content-type: application/x-www-form-urlencoded
Content-Length: 0
Connection: Keep-Alive

If you cannot get an authorization token from the token service, check whether your subscription key is still valid. If you are using a free trial key, go to the Cognitive Services subscription page, click on "Log in" to login using the account that you used for applying the free trial key, and check whether the subscription key is expired or exceeds the quota.

Use an authorization token in a request

Each time you call the Speech API, you need to pass the authorization token in the Authorization header. The Authorization header must contain a JWT access token.

The following example shows how to use an authorization token when you call the Speech REST API.


Replace YOUR_AUDIO_FILE with the path to your prerecorded audio file. Replace YOUR_ACCESS_TOKEN with the authorization token you got in the previous step Get an authorization token.

$SpeechServiceURI =

# $OAuthToken is the authrization token returned by the token service.
$RecoRequestHeader = @{
  'Authorization' = 'Bearer '+ $OAuthToken;
  'Transfer-Encoding' = 'chunked'
  'Content-type' = 'audio/wav; codec=audio/pcm; samplerate=16000'

# Read audio into byte array
$audioBytes = [System.IO.File]::ReadAllBytes("YOUR_AUDIO_FILE")

$RecoResponse = Invoke-RestMethod -Method POST -Uri $SpeechServiceURI -Headers $RecoRequestHeader -Body $audioBytes

# Show the result

Renew an authorization token

The authorization token expires after a certain time period (currently 10 minutes). You need to renew the authorization token before it expires.

The following code is an example implementation in C# of how to renew the authorization token:

     * This class demonstrates how to get a valid O-auth token.
    public class Authentication
        public static readonly string FetchTokenUri = "";
        private string subscriptionKey;
        private string token;
        private Timer accessTokenRenewer;

        //Access token expires every 10 minutes. Renew it every 9 minutes.
        private const int RefreshTokenDuration = 9;

        public Authentication(string subscriptionKey)
            this.subscriptionKey = subscriptionKey;
            this.token = FetchToken(FetchTokenUri, subscriptionKey).Result;

            // renew the token on set duration.
            accessTokenRenewer = new Timer(new TimerCallback(OnTokenExpiredCallback),

        public string GetAccessToken()
            return this.token;

        private void RenewAccessToken()
            this.token = FetchToken(FetchTokenUri, this.subscriptionKey).Result;
            Console.WriteLine("Renewed token.");

        private void OnTokenExpiredCallback(object stateInfo)
            catch (Exception ex)
                Console.WriteLine(string.Format("Failed renewing access token. Details: {0}", ex.Message));
                    accessTokenRenewer.Change(TimeSpan.FromMinutes(RefreshTokenDuration), TimeSpan.FromMilliseconds(-1));
                catch (Exception ex)
                    Console.WriteLine(string.Format("Failed to reschedule the timer to renew access token. Details: {0}", ex.Message));

        private async Task<string> FetchToken(string fetchUri, string subscriptionKey)
            using (var client = new HttpClient())
                client.DefaultRequestHeaders.Add("Ocp-Apim-Subscription-Key", subscriptionKey);
                UriBuilder uriBuilder = new UriBuilder(fetchUri);
                uriBuilder.Path += "/issueToken";

                var result = await client.PostAsync(uriBuilder.Uri.AbsoluteUri, null);
                Console.WriteLine("Token Uri: {0}", uriBuilder.Uri.AbsoluteUri);
                return await result.Content.ReadAsStringAsync();