Hiding Speechly appID in BrowserClient

[Lex-Kent]

Hi all,

I'm using Speechly successfully in my project, which runs on NodeJS.

My current set up was taken from the online BrowserClient example and therefore my appID is exposed if a user inspects the JS of my page. I have this in my bundled JS:

ctx.speechlyAppId = "speechlyAppID_string";

... ... ...

ctx.speechly = new BrowserClient({
  appId: ctx.speechlyAppId,
  logSegments: false
});

it's not a big deal right now, because my project is a simple concept and I am using the free tier, but if the concept is a success, we will upgrade to a paid subscription and then I will want our appID to be hidden to the user.

How can I go about this please? Do I create a Node version of the BrowserClient and BrowserMicrophone?

Many thanks

[langma]

Hi!

the appID is exposed and could be used by others quite easily, as you said. The free tier does not include any protections, other than creating a new appID every now and then, making it more difficult for others to use your app.

There are three options for mitigating this:

1. create a separate backend, which proxies the audio to the Speechly API and handles the results. This is what you also suggested, but will require you to handle the proxying logic, as there are no ready made components for achieving this. However, this might be the best option anyway, as you could do additional logic steps in the backend side, for example DB queries etc.
   There is a nodejs example you can use to set this up.
2. the paid tier can be set up so that the connections are accepted only from a specified referer page, making it hard to use elsewhere. You could set up multiple apps and expose only one of them, enabling you to test things out locally or in a test env, and then roll out in the public, restricted app
3. there are plans to include a trust relationship to an external identity management API. This would mean that you could create you own API to authorize a user to use the app, and issue a token for the user. The Speechly API would validate this token and match it to your app, this way keeping the application identity hidden.

Note that the appID will not expose any of your configuration or usage data to others, it will only be used to match the incoming audio to a trained model.

[Lex-Kent]

Thanks @langma for the detailed response - much appreciated 👍