Security concerns
# support
Hi, I'm using SDK to build web-based app. It seems I have to disclose public key on the client side. It will allow user to configure my assistant without the permission. Help me understand if I miss something.
Hi @wehead_ilya, I'm an AI assistant for Vapi. I'll analyze available sources and get back to you shortly.
----------------------------- **While I generate an answer, here are some sources that might be helpful**: * [Client SDKs]() * [Web SDK]() * [Pizza Website Example]() * [Vapi Web SDK]() -----------------------------
### Answer Understanding your security concerns, Vapi has implemented measures to mitigate the risks associated with exposing your public key in a client-side environment. To address the specific concern of unauthorized usage of your assistants and incurring unwanted charges, Vapi allows you to: 1. Restrict your public key to your domain. This is done through browser mechanisms that prevent websites from altering their header Origin, ensuring that calls made using your public key can only originate from your specified domain [(1)]() . 2. Restrict your public key to work only with a specific assistantId, disallowing the creation of transient assistants with your public key. This means that only pre-defined assistants that you've created and specified can be used, further controlling the usage of your resources. 3. Use JWT for enhanced security. You can sign a JWT in your backend with your Vapi private key if the user is logged in. This JWT is then passed to the Web SDK, which Vapi's backend verifies to ensure it was signed by the correct key. This method requires you to get in touch with Vapi support to set it up but offers a strong layer of security by tying API actions to verified user sessions. These measures are designed to give you control over how your public key is used, ensuring that your Vapi resources are protected against unauthorized access and usage.
1. Restrict your public key to your domain. Browsers don't let websites change their header Origin 2. Restrict your public key to only work with assistantId, disallowing transient assistants 3. You sign a JWT in your backend with your vapi private key if the user is logged in and pass that to our Web SDK. In our BE, we check if signed by the right key. Need to document this but for now if anyone needs just email and we'll turn it on / send CURL
Hi @Sahil I also have the same concern. Have I understood your reply that the only current solution is the build your own backend API for protecting your public key? Because I haven't found any settings in my Vapi dashboard.
Yeah, you can just mail me your organisation id followed by the assistant_id and your site origin I will provide you an restricted public key which will be accessible for that particular assistant only
@Sahil Ok, thanks for a quick reply! What is the email address?