The Problem:
Right now, ephemeral tokens connect clients directly to OpenAI's WebRTC endpoints for up to 60 minutes. Once we hand the token to the client, our backend loses all control. A bad actor can scrape the token, bypass our frontend timers, and run up an hour of gpt-realtime-2 compute on our dime, and we have no way to forcefully disconnect them.
The Solution:
Add a max_duration_seconds parameter to the POST /v1/realtime/sessions endpoint.
Example:
{
"model": "gpt-realtime-2",
"max_session_duration_seconds": 900,
"voice": "alloy"
}
When the WebRTC connection hits that limit, OpenAI's servers should automatically drop the peer connection. We need a server-side leash for production safety.
The Problem:
Right now, ephemeral tokens connect clients directly to OpenAI's WebRTC endpoints for up to 60 minutes. Once we hand the token to the client, our backend loses all control. A bad actor can scrape the token, bypass our frontend timers, and run up an hour of gpt-realtime-2 compute on our dime, and we have no way to forcefully disconnect them.
The Solution:
Add a max_duration_seconds parameter to the POST /v1/realtime/sessions endpoint.
Example:
When the WebRTC connection hits that limit, OpenAI's servers should automatically drop the peer connection. We need a server-side leash for production safety.