Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Best Practices for Securing Gemini API Key in Production? #9

Closed
laosuan opened this issue Dec 18, 2024 · 1 comment
Closed

Best Practices for Securing Gemini API Key in Production? #9

laosuan opened this issue Dec 18, 2024 · 1 comment

Comments

@laosuan
Copy link

laosuan commented Dec 18, 2024

Found a note in code: "do not send gemini-api-key in production (key will be exposed to the client.)"

Need guidance on:

  1. What's the recommended way to handle Gemini API keys securely?
  2. Are there any example patterns or best practices we can follow?

Reference:
OpenAI provides an ephemeral API token solution (https://platform.openai.com/docs/api-reference/realtime-sessions/create). Does Gemini have similar solutions or what alternatives are recommended?

Looking forward to any suggestions on secure implementation.
@dselman dselman mentioned this issue Jan 2, 2025
Open
@mattieruth
Copy link

Oh wait! You are the same person :) -- I'll paste what I put in the other thread here for completeness. I think it covers your needs in this issue as well:

Hi! We tried to be transparent about the gemini transport and how it is not meant to be used for production. We have callouts in the top-most README of this repo and in our docs. Perhaps they need to be louder. The idea behind this particular transports is for quick and easy client-side development and testing with these APIs. For some developers, it's easier to start with a client app and then build the server-side components. This allows that approach. But for any secure handling, a server component is required and developers will have to cross that bridge.

Currently, the DailyTransport is the only out-of-the-box transport we've built that supports server-side security. With this transport, you would create an endpoint that kicks off a Pipecat pipeline which includes a corresponding Daily Transport and the Gemini service and returns the Daily call authentication information for joining (a room url and token). This is our recommended approach in general for production. The best simplified example of this is the simple-chatbot example in Pipecat.

For OpenAi's RealTime API, you have an alternative, which is to use their ephemeral token approach where you build a simple server endpoint to generate the ephemeral token and return it. This does require a modification to the GeminiLiveWebsocketTransport so that the API key is passed as part of connect() instead of the constructor, but should be fairly trivial.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mattieruth @laosuan