Unable to get Azure Speech Service authorization token. REST API always returns 401 for Japan West region.

Hello @Lancy Wu ,

Welcome to Microsoft Q&A .Thank you for reaching out to us.

Thank you for providing the detailed context. Based on the behavior observed - HTTP 401 Unauthorized returned from both the authorization token endpoint and the voices list endpoint .The issue is most likely related to an endpoint, resource, region or Azure cloud environment mismatch rather than an issue with the Speech key itself. 

A Speech resource key is associated with a specific Azure resource and must be used with the corresponding endpoint for that resource. The Azure cloud environment, resource location, endpoint and resource type must all align.

Regarding if japanwest the correct region identifier for Japan West - Yes, japanwest is the correct region identifier for a Speech resource created in Japan West within Azure Public Cloud.

For a standalone Speech resource deployed in Azure Public Cloud Region: Japan West , the endpoint formats are:

1. Authorization token endpoint - POST https://japanwest.api.cognitive.microsoft.com/sts/v1.0/issueToken
2. Voices list endpoint - GET https://japanwest.tts.speech.microsoft.com/cognitiveservices/voices/list These endpoints are valid when the Speech resource itself exists in the corresponding Azure Public Cloud region.

Regarding the token endpoint use japanwest.api.cognitive.microsoft.com - For a standalone Speech resource created in Azure Public Cloud Japan West, the following endpoint format is correct - https://japanwest.api.cognitive.microsoft.com/sts/v1.0/issueToken

However, the correct endpoint depends on:

• Azure cloud environment
• Resource type
• Resource location

The location where an application is running is separate from the location where the Azure resource was created.

For example:

• An application running from China can still use a Speech resource hosted in Azure Public Cloud Japan West.
• A Speech resource created in Azure China must use Azure China endpoints.

If the Speech resource itself was created in Azure China (operated by 21Vianet), the endpoints are different.

Azure China uses: .azure.cn

instead of: .microsoft.com

Example Azure China endpoint formats

Authorization token endpoint - https://<region>.api.cognitive.azure.cn/sts/v1.0/issueToken

Text-to-Speech endpoint - https://<region>.tts.speech.azure.cn/cognitiveservices/v1

A key created for an Azure China resource cannot authenticate against Public Azure endpoints such as:

*.api.cognitive.microsoft.com

*.tts.speech.microsoft.com

This results in 401 Unauthorized Invalid subscription key or wrong API endpoint

Regarding standalone Speech Service vs Azure AI Services multi-service resource make a difference - Yes, the resource type affects the endpoint selection.

Standalone Speech resource - Resource type: - SpeechServices - Typically uses Speech regional endpoints, for example - https://<region>.api.cognitive.microsoft.com

Azure AI Services multi-service resource - Resource type - CognitiveServices - Uses the resource-specific endpoint shown under - Azure Portal > Resource >Keys and Endpoint

Example: https://<resource-name>.cognitiveservices.azure.com

Both resource types use - Ocp-Apim-Subscription-Key: <resource key>

The important requirement is that the key and endpoint must belong to the same resource and Azure cloud environment.

Resource type differences alone do not normally cause 401 errors; incorrect pairing between resource, key, and endpoint does.

A valid key can still return 401 when there is a mismatch between the key and endpoint.

Common causes include:

• The key belongs to a different Speech/Azure AI Services resource.
• The endpoint region does not match the resource location.
• An Azure China resource key is being used with Azure Public Cloud endpoints.
• The resource type and endpoint format do not match.
• The key was regenerated and an older key value is still configured.
• The endpoint was manually constructed instead of using the endpoint displayed in Azure Portal.

Additionally, authorization tokens are scoped to the endpoint that issued them. A token obtained from one endpoint should be used only with the corresponding service endpoint.

Please check if the following troubleshooting steps help-

1. Please open Azure Portal > Speech/Azure AI Services Resource > Keys and Endpoint Resource type:
   1. SpeechServices
   2. CognitiveServices
   Resource location:
   1. Japan West
   2. Azure China region
   Azure cloud environment:
   1. Azure Public Cloud
   2. Azure China
   3. Copy directly from the portal:
   • Endpoint
   • Key
   Please avoid manually constructing endpoints because the portal value represents the correct configuration for that resource. Validate the token request includes: Ocp-Apim-Subscription-Key: <resource key> Content-Type: application/x-www-form-urlencoded
2. Test both:
   1. Token endpoint
   2. Voices list endpoint
   If both endpoints continue returning 401, the issue is most likely a configuration mismatch rather than a Speech service availability issue.

To summarise:

1. japanwest is correct for a Speech resource created in Azure Public Cloud Japan West.
2. The token endpoint format is correct for that environment.
3. Standalone Speech and Azure AI multi-service resources use the same authentication model, but the endpoint must match the resource configuration.
4. The most probable cause could be - Azure China resource + Azure Public Cloud Japan West endpoint = 401 Unauthorized

The following references might be helpful , please check them out

• Supported regions for Azure Speech - Foundry Tools | Microsoft Learn
• Sovereign Clouds - Speech service - Foundry Tools | Microsoft Learn
• Authentication in Foundry Tools - Foundry Tools | Microsoft Learn
• Text to speech API reference (REST) - Speech service - Foundry Tools | Microsoft Learn
• Troubleshoot the Speech SDK - Speech service - Foundry Tools | Microsoft Learn  

Thank you

Please "Accept" the answer with an "Upvote" if the response was helpful. This will be benefitting other community members who face the same issue.

Hello Lancy Wu,

Greetings! Thanks for raising this question in the Q&A forum.

Don't worry this is a very common issue and the good news is it's almost always caused by one of a few easy-to-fix mismatches. Let me walk you through everything clearly.

Why is this happening?

A 401 error from Azure Speech Service almost always means either the API key is being used on the wrong endpoint, the region identifier in the URL doesn't match where your resource was actually created, or there's a mismatch between a multi-service resource key and a standalone Speech resource endpoint. Let me answer each of your questions directly and then give you the fix.

Answering your questions one by one:

1. Is japanwest the correct region identifier?

Yes, japanwest is the correct short region identifier for Japan West. Your token and TTS endpoint URLs look correctly formed for that region.

2. Should the token endpoint be japanwest.api.cognitive.microsoft.com?

Yes, that is the correct format for a standalone Speech Service resource. However, if your resource was created as an Azure AI Services multi-service resource, the token endpoint and key behavior are different — which leads us to question 3.

3. Standalone Speech resource vs Azure AI Services multi-service resource — does it matter?

Yes, it matters a lot! This is the most likely root cause of your 401. Here's the difference:

• If you created a standalone Speech resource, your key works directly with japanwest.api.cognitive.microsoft.com/sts/v1.0/issueToken
• If you created an Azure AI Services (multi-service) resource, the key is different and must be used with the multi-service endpoint, not the Speech-specific one. Using a multi-service key on a Speech-only endpoint will always return 401.

4. Why would a valid key from the portal return 401?

The most common reasons are:

• You may be copying Key 1 but accidentally using it on the wrong resource type endpoint
• There could be a copy-paste issue with the key (extra spaces or characters)
• The resource might actually be in a slightly different region than expected

Here's your step-by-step fix:

1. Go to the Azure Portal https://portal.azure.com and open your Speech or Azure AI Services resource.
2. Check the resource type look at the top of the resource overview page. It will say either "Speech" (standalone) or "Azure AI Services" (multi-service). Note this carefully.

Under the resource, go to "Keys and Endpoint" on the left menu. Copy Key 1 fresh from here — avoid copy-pasting from anywhere else.

Also on that same page, note the Endpoint URL shown — use that exact region identifier from the endpoint URL in your API calls, not an assumed one.

Now test using the correct endpoint based on your resource type:

For a standalone Speech resource, use:

POST https://japanwest.api.cognitive.microsoft.com/sts/v1.0/issueToken
Header: Ocp-Apim-Subscription-Key: <your key>

For an Azure AI Services multi-service resource, use:

POST https://japanwest.api.cognitive.microsoft.com/sts/v1.0/issueToken
Header: Ocp-Apim-Subscription-Key: <your multi-service key>

But also make sure the resource is in Japan West and not another region.

As a quick sanity check, try calling the voices list endpoint directly with your key:

GET https://japanwest.tts.speech.microsoft.com/cognitiveservices/voices/list
Header: Ocp-Apim-Subscription-Key: <your key>

If this still returns 401, the key and region are definitely mismatched.

Since you mentioned you are actually using this from the Chinese region — please note that if you are accessing Azure from China (Azure China / 21Vianet), the endpoints are completely different. Azure China uses azure.cn based endpoints, not the global azure.com ones. If that is your case, please let us know and we can share the correct China-specific endpoint format for Speech Service.

As a helpful tip the safest way to confirm your exact endpoint is to go to Keys and Endpoint in the Azure portal for your resource. The portal always shows the exact correct endpoint for your resource's region and type. Use that as your base URL rather than constructing it manually.

If this answer helps you kindly accept the answer which will help others who have similar questions.

Best Regards,

Jerald Felix.