To summarize our convo, you can:
1. Restrict your public key to your domain. Browsers don't let websites change their header Origin
2. Restrict your public key to only work with assistantId, disallowing transient assistants
3. You sign a JWT in your backend with your vapi private key if the user is logged in and pass that to our Web SDK. In our BE, we check if signed by the right key.
Need to document this but for now if anyone needs just email support@vapi.ai and we'll turn it on / send CURL