API Reference

The 44 JSON API lets you create recording sessions for uploading audio.

Authentication

There are two types of API keys, each suited for different use cases:

Secret keys (44sk_...)

Secret keys are used server-side only to create recording sessions and manage resources. Never expose secret keys in client-side code.

Pass your secret key as a Bearer token:

HTTP
Authorization: Bearer 44sk_your_secret_key

Scopes

Secret keys are scoped to limit which API actions they can perform. At least one scope is required when creating a secret key.

Scope Description
sessions:write Create recording sessions
recordings:delete Delete recordings

If a request requires a scope the token doesn't have, the API returns:

JSON
{
  "ok": false,
  "error": "insufficient_scope",
  "message": "This token does not have the required scope: sessions:write"
}

Publishable keys (44pk_...)

Publishable keys are designed for client-side use — embed them directly in your frontend code. They are scoped by allowed domains and rate-limited, so they're safe to expose in a browser.

Publishable keys are passed as the sessionId field when uploading recordings.

Endpoints

Create a recording session

Creates a one-time session ID used to upload a recording.

Required scope: sessions:write

HTTP
POST https://api.44.audio/v1/recordings/sessions
Authorization: Bearer 44sk_your_secret_key
Content-Type: application/json

Request body (all fields optional):

JSON
{
  "maxDuration": 30000,
  "labels": ["feedback", "onboarding"],
  "expiresIn": 3600000
}
Field Type Description
maxDuration integer Maximum recording length in milliseconds
labels string[] Labels to attach to any recording uploaded with this session
expiresIn integer Session lifetime in milliseconds (default: 3600000 — 1 hour)

Response:

JSON
{
  "sessionId": "44sess_abc123...",
  "expiresAt": "2025-01-15T12:00:00Z"
}

Delete a recording

Soft-deletes a recording. The recording will no longer appear in listings or be accessible via the player/audio endpoints. Requires a secret key — the recording must belong to the same project as the key.

Required scope: recordings:delete

HTTP
DELETE https://api.44.audio/v1/recordings/{recordingId}
Authorization: Bearer 44sk_your_secret_key

Path parameters:

Parameter Type Description
recordingId string The global recording ID to delete

Response:

JSON
{
  "ok": true
}

Returns 404 if the recording does not exist or does not belong to the authenticated project.

Content Security Policy (CSP)

If your site sends a Content-Security-Policy header, add these domains so the components can load scripts, fetch recording data, and play audio:

Directive Domain Reason
script-src https://cdn.jsdelivr.net Loading components via CDN
connect-src https://api.44.audio API calls (upload, status, metadata)
media-src https://audio.44.audio Audio file playback

The connect-src and media-src directives are always required since the components fetch recording data and audio from 44 Audio's servers.

Publishable Keys

Publishable keys let you skip session creation entirely — upload recordings directly from the browser without a server-side step.

How they work

Instead of creating a session server-side and passing the session ID to the client, you embed your publishable key directly:

HTML
<fortyfour-recorder session-id="44pk_your_publishable_key"></fortyfour-recorder>

Or when using the API directly, pass it as the sessionId in your upload form data.

Security

Publishable keys are protected by:

  • Domain restrictions — only works from your allowed origins (configured in your token settings)
  • Rate limiting — per-token, per-IP limits to prevent abuse
  • Max duration — enforces a maximum recording length (configured in your token settings)

When to use publishable keys vs sessions

Use case Recommended approach
Simple frontend-only integration Publishable key
Per-recording labels or metadata Session (labels set at creation)
Custom session expiration Session
No backend available Publishable key
Maximum control over each upload Session