Im currently trying out convai using the web sdk to create a simple web app. I have noticed a pretty big issue which is that the web sdk exposes the api key to the client. The readme in the npm package states to store the api key as an environment variable “VITE_CONVAI_API_KEY” but per the Vite documentation “Variables prefixed with VITE_ will be exposed in client-side source code after Vite bundling”.
Ive looked at alternative implementations - playcanvas, unity web app - and they seem to have the same issue with exposing the api key to the client.
Is it possible to create a web app, using web sdk or other method, where the api key is secure?
Looking at the @convai/web-sdk node package there are frequent references to using an auth token instead of api key, but no documentation on this exists? Is it possible to use an auth token flow? Is there an endpoint we can hit with the api key to obtain an auth token?
Finally is it possible to scope an api key to limit the kinds of calls it can make?