Akram K.
05/10/2024, 3:05 PM<script>
var vapiInstance = null;
const assistant = "<assistant_id>"; // Substitute with your assistant ID
const apiKey = "<your_public_api_key>"; // Substitute with your Public key from Vapi Dashboard.
const buttonConfig = {}; // Modify this as required
(function (d, t) {
var g = document.createElement(t),
s = d.getElementsByTagName(t)[0];
g.src =
"https://cdn.jsdelivr.net/gh/VapiAI/html-script-tag@latest/dist/assets/index.js";
g.defer = true;
g.async = true;
s.parentNode.insertBefore(g, s);
g.onload = function () {
vapiInstance = window.vapiSDK.run({
apiKey: apiKey, // mandatory
assistant: assistant, // mandatory
config: buttonConfig, // optional
});
};
})(document, "script");
</script>
Is it really a good idea exposing your public API key like this? As far as I can see, a user can get your API key by simply inspecting the web page source.
Then he can use it to build a script for spamming your voice assistant, or even integrating in on his own website claiming it as his own while you are paying the costs....
Is this the case or am I understanding something wrong?Vapi Support
05/10/2024, 3:05 PMVapi Support
05/10/2024, 3:05 PMOrigin
header, preventing unauthorized domains from using your key [(1)]() .
2. **Assistant ID Restriction**: It is possible to restrict your public key to only work with a specific assistantId
, preventing the creation of transient assistants.
3. **Backend Verification with JWT**: For more sensitive operations, you can require that requests from your frontend are accompanied by a JWT (JSON Web Token) that you sign in your backend with your Vapi private key. The JWT is then verified by Vapi's backend to ensure it was signed with the correct key before proceeding with the request. This process effectively ties the action to a logged-in user, assuming your backend only signs tokens for authenticated sessions.
These measures help ensure that your public key cannot be misused even if it is visible in your frontend code. It's always important to follow best practices for security and to use the features provided by your service providers to protect your applications.Vapi Support
05/10/2024, 3:09 PMAkram K.
05/10/2024, 3:10 PM