Starting Web Calls w/ Public Key
# support
Since we can start calls from the web w/ our account public key — how do we prevent bad actors from using our assistants & incurring charges elsewhere? etc
The flow I'm currently considering is starting calls on the server then passing the assistant id on the client ... but then shouldn't I provide a callid on the client?
looks like even with the assistant id a call is created — so the flows cannot be split to keep call creation private
To summarize our convo, you can: 1. Restrict your public key to your domain. Browsers don't let websites change their header Origin 2. Restrict your public key to only work with assistantId, disallowing transient assistants 3. You sign a JWT in your backend with your vapi private key if the user is logged in and pass that to our Web SDK. In our BE, we check if signed by the right key. Need to document this but for now if anyone needs just email and we'll turn it on / send CURL