Keeping fal API Secrets Safe

Real-time models using WebSockets present challenges in ensuring the security of API secrets.

The WebSocket connection is established directly from the browser or native mobile application, making it unsafe to embed API keys and secrets directly into the client. To address this, we have developed additional tools to enable secure authentication with our servers without introducing unnecessary intermediaries between the client and our GPU servers. Instead of using traditional API keys, we recommend utilizing short-lived JWT tokens for authentication.

Easiest way to communicate with fal using websockets is through our javascript and swift clients and a server proxy.

Server Side Proxy

Checkout our Server Side Integration section to learn more about using a ready made proxy with your Node.js or Next.js app or implement your own.

When fal.realtime.connect is invoked the fal client gets a short lived JWT token through a server proxy to authenticate with fal services. This token is refreshed automatically by the client when it is needed.

Javascript

import { fal } from "@fal-ai/client";

fal.config({
  proxyUrl: "/api/fal/proxy",
});

const { send } = fal.realtime.connect("fal-ai/fast-lcm-diffusion", {
  connectionKey: "realtime-demo",
  throttleInterval: 128,
  onResult(result) {
    // display
  },
});

SWIFT

import FalClient
let fal = FalClient.withProxy("http://localhost:3333/api/fal/proxy")

let connection = try fal.realtime.connect(
    to: OptimizedLatentConsistency,
    connectionKey: "PencilKitDemo",
    throttleInterval: .milliseconds(128)
) { (result: Result<LcmResponse, Error>)  in
    if case let .success(data) = result,
        let image = data.images.first {
        let data = try? Data(contentsOf: URL(string: image.url)!)
        DispatchQueue.main.async {
            self.currentImage = data
        }
    }
}

Checkout the FalRealtimeSampleApp (swift) and realtime demo (js) for more details.