Secure direct client session

[tstewart-klaudhaus]

Please read this first

• Have you read the docs? Yes
• Have you searched for related issues? yes

Describe the feature

I asked ChatGPT about securing sessionKey in realtime API to enable web-based voice agents with full VAD without needing an intermediate SFU/MCU media server. It would reduce complexity, cost and latency in online agents.

It made a number of suggestions about how this could be handled within the OpenAI API / SDK itself, but nothing that currently works. The suggestions were:

What Would Be Needed
To make this viable, OpenAI would need to:

Allow short-lived, thread-scoped access tokens (ideally JWT or presigned URLs).

Support custom headers or query parameters for client-side auth.

Possibly integrate OAuth2 or federated identity systems to delegate auth securely.

ChatGPT also pointed out that:

Because there’s a material security concern with client-controlled models and session keys, OpenAI may be motivated to enhance their system.

So my question is - is this something that OpenAI is looking at?

[seratch]

Hi @tstewart-klaudhaus, thanks for asking this question.

We don't have anything to share about potential client-side-only sessions. Thus, our recommendation is still to have a simple server endpoint that handles token creation:

• https://github.com/openai/openai-agents-js/blob/v0.0.14/examples/realtime-next/src/app/page.tsx#L141-L146
• https://github.com/openai/openai-agents-js/blob/v0.0.14/examples/realtime-next/src/app/server/token.tsx

Hope this clarifies things.

[tstewart-klaudhaus]

Yeah, that's what I'm doing, getting a session token from my server (which uses OpenAI API key and the realtime API to obtain client_secret.value), and making it available to my front-end, equivalent to the Nextjs app example you mention.

What I'm not clear on is the scope limitations of the issued client secret. If obtained (e.g. through JS breakpoint) could it be used to start new realtime sessions and "piggyback" on my OpenAI API account?

[seratch]

The client_secret.value is an ephemeral key, which can only be used to start a new real-time session. Even if the ephemeral key is stolen from your website due to its JS security issue, it does not allow the actor to utilize the rest of OpenAI platform capabilities using your OPENAI_API_KEY.

[tstewart-klaudhaus]

Thanks Seratch, I have done some further testing and can see that it is possible to take a client_secret.value that has been used to create a real-time session and use it again to create multiple new real-time sessions in a completely different context. However it does seem we can mitigate that. The token has a default expiry time in the region of 5 minutes, and this can be customised in the API call which obtains the token.

It would be great if there were some extra available security factors such as key signing, maximum session count etc.