Skip to content

Add server-side max_session_duration_seconds to Ephemeral Tokens (Realtime API) #1278

Description

@fastfret888

The Problem:
Right now, ephemeral tokens connect clients directly to OpenAI's WebRTC endpoints for up to 60 minutes. Once we hand the token to the client, our backend loses all control. A bad actor can scrape the token, bypass our frontend timers, and run up an hour of gpt-realtime-2 compute on our dime, and we have no way to forcefully disconnect them.

The Solution:
Add a max_duration_seconds parameter to the POST /v1/realtime/sessions endpoint.

Example:

{
  "model": "gpt-realtime-2",
  "max_session_duration_seconds": 900, 
  "voice": "alloy"
}

When the WebRTC connection hits that limit, OpenAI's servers should automatically drop the peer connection. We need a server-side leash for production safety.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions