Hi, when initializing a vapi instance with the vapi-ai/web sdk, I'm wondering if it's secure. Anyone can just extract the vapi public key and start to do calls using it right? Any advice to secure my web application using the web sdk?

Hi pierreh, Yes, anyone with access to your public key can use the use that key technically (if you don't set up CORS), but that's why we allow you to set allowed origins on your public keys. You can create a new public key here and set the allowed origin to only your webapp:

thanks!

Marking this ticket as Solved ✅