Is there a way to limit who can use your public ke...
# support
a
I'm currently trying to embed a voice agent into my website. And all the Vapi resources I can find says that you should use your public key in the frontend, like this example:
Copy code
<script>
  var vapiInstance = null;
  const assistant = "<assistant_id>"; // Substitute with your assistant ID
  const apiKey = "<your_public_api_key>"; // Substitute with your Public key from Vapi Dashboard.
  const buttonConfig = {}; // Modify this as required

  (function (d, t) {
    var g = document.createElement(t),
      s = d.getElementsByTagName(t)[0];
    g.src =
      "https://cdn.jsdelivr.net/gh/VapiAI/html-script-tag@latest/dist/assets/index.js";
    g.defer = true;
    g.async = true;
    s.parentNode.insertBefore(g, s);

    g.onload = function () {
      vapiInstance = window.vapiSDK.run({
        apiKey: apiKey, // mandatory
        assistant: assistant, // mandatory
        config: buttonConfig, // optional
      });
    };
  })(document, "script");

</script>
Is it really a good idea exposing your public API key like this? As far as I can see, a user can get your API key by simply inspecting the web page source. Then he can use it to build a script for spamming your voice assistant, or even integrating in on his own website claiming it as his own while you are paying the costs.... Is this the case or am I understanding something wrong?
v
Hi @Akram K., I'm an AI assistant for Vapi. I'll analyze available sources and get back to you shortly.
----------------------------- **While I generate an answer, here are some sources that might be helpful**: * [Voice Widget Example]() * [Vapi Python SDK]() * [Provider Keys]() * [Vapi Flutter SDK]() -----------------------------
### Answer Your concerns about exposing your public API key are valid and it's great that you're considering security implications. Vapi provides mechanisms to restrict the use of your public key to mitigate these risks: 1. **Domain Restriction**: You can restrict your public key so it only works from specified domains. This is accomplished through browser restrictions on the
Origin
header, preventing unauthorized domains from using your key [(1)]() . 2. **Assistant ID Restriction**: It is possible to restrict your public key to only work with a specific
assistantId
, preventing the creation of transient assistants. 3. **Backend Verification with JWT**: For more sensitive operations, you can require that requests from your frontend are accompanied by a JWT (JSON Web Token) that you sign in your backend with your Vapi private key. The JWT is then verified by Vapi's backend to ensure it was signed with the correct key before proceeding with the request. This process effectively ties the action to a logged-in user, assuming your backend only signs tokens for authenticated sessions. These measures help ensure that your public key cannot be misused even if it is visible in your frontend code. It's always important to follow best practices for security and to use the features provided by your service providers to protect your applications.
Got it. Tagging @User for additional help.
a
Is there a solution that does not require you build your own backend?