Documentation
Real Time Models ⚡️
Keeping fal API Key and Secret Safe

Keeping fal API Secrets Safe

Real-time models using WebSockets present challenges in ensuring the security of API secrets.

The WebSocket connection is established directly from the browser or native mobile application, making it unsafe to embed API keys and secrets directly into the client. To address this, we have developed additional tools to enable secure authentication with our servers without introducing unnecessary intermediaries between the client and our GPU servers. Instead of using traditional API keys, we recommend utilizing short-lived JWT (opens in a new tab) tokens for authentication.

Easiest way to communicate with fal using websockets is through our javascript (opens in a new tab) and swift (opens in a new tab) clients and a server proxy.

When fal.realtime.connect is invoked the fal client gets a short lived JWT (opens in a new tab) token through a server proxy to authenticate with fal services. This token is refreshed automatically by the client when it is needed.

import * as fal from "@fal-ai/serverless-client";
 
fal.config({
  proxyUrl: "/api/fal/proxy",
});
const { send } = fal.realtime.connect("110602490-lcm-sd15-i2i", {
  connectionKey: "realtime-demo",
  throttleInterval: 128,
  onResult(result) {
    // display
  },
});

Checkout the FalRealtimeSampleApp (swift) (opens in a new tab) and realtime demo (js) (opens in a new tab) for more details.


2023 © Features and Labels Inc.