Shpetim HaxhiuSHPito.devShpetim Haxhiu
Open navigation
Back to notes
Realtime securityChecklist5 min

Use ephemeral client secrets for browser Realtime sessions

A secure browser pattern for starting Realtime sessions without exposing your OpenAI API key.

Open source doc
Real example

Example: browser voice demo without exposing the API key

A product team wants a browser-based voice intake prototype. The quick but unsafe path would put the OpenAI API key in frontend code.

Create a server route that authenticates the user, creates a short-lived Realtime client secret, and returns only that secret to the browser. Keep business tools behind server APIs.

The browser can connect to Realtime while the long-lived API key and product permissions stay server-side.

ts
Ephemeral secret endpoint
export async function POST() {
  const session = await openai.realtime.sessions.create({
    model: "gpt-realtime",
    audio: { output: { voice: "alloy" } },
  });

  return Response.json({
    client_secret: session.client_secret.value,
    expires_at: session.client_secret.expires_at,
  });
}
Tutorial path

How to implement it

Step 01
Authenticate the user and verify they are allowed to start the voice workflow.
Step 02
Create the Realtime session secret from a server endpoint.
Step 03
Return only the short-lived client secret and session policy needed by the browser.
Step 04
Connect the browser session and keep business tools behind server endpoints.
Step 05
Expire or revoke local session state when the workflow ends.
Checklist

Ready when these are true

No long-lived key in browser
Server checks authorization
Session policy is scoped
Tools remain server-side
Session cleanup exists
Field notes

What matters in practice

01
A browser should never receive your long-lived OpenAI API key.
02
The server owns credential creation, session policy, and user authorization.
03
Short-lived client secrets reduce blast radius and make session scoping easier.
Avoid these mistakes

Common failure modes

01
Do not put a long-lived OpenAI key in browser code.
02
Do not create session secrets before checking user permissions.
03
Do not expose privileged tools directly to the browser session.
Practical tip
Treat Realtime browser sessions like signed upload URLs: short-lived, scoped, and created only after authorization.
Apply this to a build
Contact
Bring the workflow, deadline, and constraints.
Send the desired outcome, current bottleneck, users, and timeline. I will respond with a practical path for the build.
Email ShpetimLinkedInGitHub