Secure Your Agents: Allowlists & Signed URL Authentication

Описание: Security is critical when deploying conversational agents. This video explains the two authentication methods supported by ElevenLabs: signed URLs and allowlists. Signed URLs generate temporary tokens so clients can connect without exposing your API key. The agent server issues the token, your client connects via WebSocket and the URL expires after 15 minutes. Allowlists restrict access by checking the request’s origin; only approved hostnames can initiate a conversation. You’ll see how to configure allowlists, test them, enable authentication, generate a signed URL using the ElevenLabs API, and update your app to use the signed URL.

New to conversational AI Agents? Get started here:
Build your first agent →    • Build Your First Conversational Voice Agen...  
Twilio telephony integration →    • Connect Your Voice Agent to Twilio – Telep...  
Embed the widget →    • Embed Your ElevenLabs Voice Agent Anywhere...  

Chapters:
00:00 – Introduction: why security matters & overview of methods.
00:30 – Authentication methods: signed URLs vs allowlists.
01:00 – Configuring allowlists: adding approved hostnames and understanding origin checks.
01:30 – Demo: production vs preview: see how unauthorized hosts are blocked.
02:10 – Enabling authentication: what happens when authentication is turned on.
02:40 – Generating a signed URL: using the API key on a secure server to generate a temporary WebSocket URL.
03:30 – Implementing signed URLs: updating your React code to fetch the signed URL and start the session.
04:20 – URL expiration & best practices: token lifetime and never exposing your API key.
05:00 – Comparing both approaches: when to use allowlists and when to use signed URLs.
05:30 – Conclusion: securing your agent for production environments.

Watch the rest of the series:
Customise with the React SDK →    • Fully customise Your Agent with the React ...  
Add server tools & webhooks →    • Add Real‑Time Data to Your Agent – Server ...