How to integrate convai-web-sdk on my hosted frontend securely?

I’m currently on the Indie Dev plan and integrating Convai’s voice features into a web application using the convai-web-sdk. Everything works well in development, but I’ve run into a security concern.

Right now, the SDK requires me to pass in my personal API key like this:

convaiClient.current = new ConvaiClient({
  apiKey: "your-api-key", 
  characterId: "your-character-id", 
  enableAudio: true
});

This setup is fine for local development, but I obviously can’t expose my personal API key when deploying the frontend publicly.

Is there a recommended way to securely use the Web SDK in production? For example:

• Can I generate temporary or limited-scope API keys for users?
• Is there a backend authorization flow you suggest for this use case (maybe upgrade to another plan or use another sdk)?

I’d really appreciate any guidance on how to keep my web app secure while leveraging Convai’s functionality effectively.

Hello @Michael,

Welcome to the Convai Developer Forum

Thanks for your feedback and for bringing up this important point.

Yes, you’re absolutely right to be cautious. Exposing your API key on the frontend is not recommended for production use. We’re aware of this limitation, and our team is actively working on a secure solution.

We’ll be rolling out updates addressing this soon and will inform you as soon as it’s available.

Thanks again for your input! It really helps us improve!