Starting Web Calls w/ Public Key
# supportb
bephrem
03/22/2024, 6:48 PMSince we can start calls from the web w/ our account public key — how do we prevent bad actors from using our assistants & incurring charges elsewhere? etc
bephrem
03/22/2024, 6:49 PMThe flow I'm currently considering is starting calls on the server then passing the assistant id on the client ... but then shouldn't I provide a callid on the client?
bephrem
03/22/2024, 6:56 PMbephrem
03/22/2024, 6:56 PMbephrem
03/22/2024, 6:56 PMbephrem
03/22/2024, 6:57 PMlooks like even with the assistant id a call is created — so the flows cannot be split to keep call creation private
n
nikhil
03/26/2024, 12:41 AMTo summarize our convo, you can:
1. Restrict your public key to your domain. Browsers don't let websites change their header Origin
2. Restrict your public key to only work with assistantId, disallowing transient assistants
3. You sign a JWT in your backend with your vapi private key if the user is logged in and pass that to our Web SDK. In our BE, we check if signed by the right key.
Need to document this but for now if anyone needs just email support@vapi.ai and we'll turn it on / send CURL