When implementing a JavaScript SDK, especially one that interacts with sensitive resources or APIs, it is critical to ensure the security of private keys, tokens, and other sensitive credentials. Exposing such sensitive information in a client-side environment (e.g., browsers) can lead to vulnerabilities, including unauthorized access, token theft, and API abuse. This document outlines best practices for securing private keys and tokens in your Streaming Avatar SDK implementation while exposing only the necessary session data to the client.
Never Expose Private Keys in the Client-Side Code
Use Short-Lived Session as token
Delegate Authentication to a Backend Server
Handling avatar interactions and responses
Managing audio streams and events
The integration uses Agora’s Real-Time Communication (RTC) SDK for reliable, low-latency streaming and our avatar service for generating responsive avatar behaviors.
3.Instantiation StreamingAvatar class and get session params form your backend:
Copy
var stream = new StreamingAvatar();// info: start your stream session with Credentials.// Best Practice: get from Akool Session_ID and Credentials from your backend service.const paramsWithCredentials = await YOUR_BACK_END_API_FOR_START_SESSION();
YOUR_BACK_END_API_FOR_START_SESSION may like below: