Authentication
Two distinct secrets: a long-lived API key that lives on your server, and short-lived ICE credentials that you mint per session and hand to the browser.
The project API key
Each project in the dashboard has its own API key — a Bearer token used to authenticate calls to the credentials endpoint. It is scoped to that one project, so revoking or rotating it never touches your other projects.
Authorization: Bearer <YOUR_API_KEY>The API key can mint unlimited credentials. Keep it server-side only. The browser should receive only the short-lived ICE credential pair returned by your server.
Short-lived ICE credentials (ephemeral tokens)
Your server calls the credentials endpoint with the API key and gets back a time-boxed ephemeral token — a username/credential pair — plus the iceServers array. You forward only that token to the client. When it expires, mint a fresh one.
The ephemeral token is the only thing that ever reaches a TURN server or a browser. Tokens are minted at runtime and never stored in config files; nothing in your client or app config holds a secret. There is no shared secret and no static, long-lived credential anywhere in the flow.