How to protect Gemini API key?

[dselman]

Description of the bug:

Gemini API key is compiled into the frontend code. What is the best practice for secure management of Gemini API keys?

Actual vs expected behavior:

Some mechanism to prevent disclosure of Gemini API keys to web browser.

Any other information you'd like to share?

Same question, here: pipecat-ai/gemini-multimodal-live-demo#9

[hapticdata]

You can easily proxy a websocket connection from your own web server. We will have more examples of this soon.
How you accomplish this is based on your own server, if it is a node.js a package such as http-proxy should make it simple. If it is python you can should take a look at the google docs as there is an official SDK implementation.

[dselman]

Yes, a node example of this would be a great addition.

[saliksik]

Any updates on this?

[hapticdata]

We now have an example of using a python server for the websocket communication and protected the API key

https://github.com/GoogleCloudPlatform/generative-ai/tree/main/gemini/sample-apps/e2e-gen-ai-app-starter-pack/app/patterns/multimodal_live_agent

this example integrates in this boilerplate as a frontend.