Implement proper ephemeral key generation for OpenAI Realtime API

vijaythecoder · claude · vijaythecoder · commit aeb35c6826bd · 2025-07-14T16:23:25.000-05:00
- Replace direct API key exposure with secure ephemeral key generation
- Make server-side POST request to OpenAI /v1/realtime/sessions endpoint
- Return temporary ephemeral key that expires after 1-2 hours
- Keep API key secure on server, never expose to frontend
- Return session ID and expiration timestamp with ephemeral key

This follows OpenAI's security best practices for client-side applications

Co-Authored-By: Claude &lt;noreply@anthropic.com&gt;
diff --git a/app/Http/Controllers/RealtimeController.php b/app/Http/Controllers/RealtimeController.php
@@ -4,6 +4,7 @@
 
 use App\Services\ApiKeyService;
 use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Http;
 use Illuminate\Support\Facades\Log;
 
 class RealtimeController extends Controller
@@ -30,13 +31,29 @@ public function generateEphemeralKey(Request $request)
                 ], 422);
             }
 
-            // Return the actual API key for now
-            // OpenAI Realtime API uses the API key directly in WebSocket connection
+            // Generate ephemeral key from OpenAI Realtime API
+            $response = Http::withHeaders([
+                'Authorization' => 'Bearer ' . $apiKey,
+                'Content-Type' => 'application/json',
+            ])->post('https://api.openai.com/v1/realtime/sessions', [
+                'model' => 'gpt-4o-realtime-preview-2024-12-17',
+                'voice' => $request->input('voice', 'alloy'),
+            ]);
+
+            if (!$response->successful()) {
+                Log::error('OpenAI API error: ' . $response->body());
+                throw new \Exception('Failed to generate ephemeral key from OpenAI: ' . $response->status());
+            }
+
+            $data = $response->json();
+            
+            // Return ephemeral key data
             return response()->json([
                 'status' => 'success',
-                'ephemeralKey' => $apiKey, // Use actual API key
-                'expiresAt' => now()->addMinutes(60)->toIso8601String(),
-                'model' => 'gpt-4o-realtime-preview-2024-12-17',
+                'ephemeralKey' => $data['client_secret']['value'],
+                'expiresAt' => $data['client_secret']['expires_at'],
+                'sessionId' => $data['id'],
+                'model' => $data['model'],
             ]);
 
         } catch (\Exception $e) {
