Add VAPI to wordpress site
# supporta
aimz
05/24/2024, 9:35 PMWhen I add the web snippet to the site and check the source code, the VAPI api key and the assistance id is plainly visible. How to tackle that?
https://cdn.discordapp.com/attachments/1243678715129495683/1243678715674624090/Screenshot_2024-05-24_173306.png?ex=66525990&is=66510810&hm=971c113c18e3463f7f4650955a6aff729c72ad8046bd69c3df3fb3aa389a7884&
v
Vapi Support
05/24/2024, 9:35 PMHi @aimz, I'm an AI assistant for Vapi. I'll analyze available sources and get back to you shortly.
Vapi Support
05/24/2024, 9:35 PM### Answer
When incorporating the Vapi Voice Widget into your WordPress site, it's normal for the API key and the assistant ID to appear within the JavaScript snippet, as they are required for the widget to function correctly [(1)]() . However, exposing these in publicly accessible code can pose security risks.
Here are some measures to help mitigate potential security risks:
1. **Restrict API Key Permissions**: Ensure that the API key used in your website's frontend has limited permissions, only allowing operations that are absolutely necessary for the widget to function.
2. **Use Environment Variables**: If possible, set up your WordPress site in such a way that sensitive credentials like API keys can be stored in environment variables. This might require custom development or plugins that allow you to securely insert these variables into your JavaScript.
3. **Regularly Rotate API Keys**: Periodically change your API keys to minimize the risks associated with key exposure. This can be managed through the Vapi dashboard.
4. **Monitor and Audit**: Regularly monitor the usage of your API keys and review access logs to detect any unauthorized access or anomalies.
For integrating the Widget, you can follow the steps outlined in the installation guide from Vapi's documentation, which includes inserting the widget snippet correctly into your site's HTML.
If you're concerned about the visibility of these keys, consider implementing server-side management of key functionalities where feasible, which might not be directly covered by the current Vapi setup but could be achieved with additional backend development.
For more detailed guidance, reviewing security best practices and consulting with a security professional might be beneficial.
: [Voice Widget Example 🎧](https://docs.vapi.ai/examples/voice
Vapi Support
05/24/2024, 9:35 PM-widget#steps-for-installation)
c
Chowderr
05/24/2024, 9:48 PMYou need to add create a plugin that hides it.
m
Mason | Building KOI
05/25/2024, 1:36 AMDang no native secrets
c
Chowderr
05/25/2024, 1:52 AMI mean we can see the API Key from the start, which is all on Vapi. I can't lie that would be nice but not at their obligation.
https://cdn.discordapp.com/attachments/1243678715129495683/1243743376319184906/Screenshot_2024-05-17_222903.png?ex=665295c8&is=66514448&hm=076fda125ea0a71e473a43d830c463c878de1b3beec6126985167aa33e0d5095&
m
Mason | Building KOI
05/25/2024, 1:53 AMWebflow goated
10 Views