Skip to content

fix: Remove Exposed Speech Service API Key from Network Calls #1869

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Jul 28, 2025
Merged

fix: Remove Exposed Speech Service API Key from Network Calls #1869

merged 3 commits into from
Jul 28, 2025

Conversation

Prasanjeet-Microsoft
Copy link
Contributor

Purpose

The purpose of this pull request is to enhance the security of the Speech Synthesis integration by eliminating the exposure of the Azure Speech API key in browser network calls.

Previously, the frontend received and used the Speech API subscription key directly to initialize the speech synthesizer, which could be viewed in browser developer tools. While access to the app is restricted via Entra ID, exposing sensitive keys in client-side code is still a security risk.

To resolve this, we have:

  • Replaced the use of the long-lived Speech API key with a short-lived authorization token retrieved securely from the backend.
  • Updated both backend and frontend code to support token-based initialization of the Azure Speech Synthesizer.

This change ensures sensitive credentials are no longer exposed to end users and follows best practices for secure API consumption.

Backend changes:

  • Removed the key field from the speech_config response in code/create_app.py, as the backend no longer provides the subscription key.

Frontend changes:

  • Replaced the key field with token in the synthesizerData state in Answer.tsx.
  • Updated the initializeSynthesizer function to use SpeechConfig.fromAuthorizationToken instead of SpeechConfig.fromSubscription, reflecting the switch to token-based authentication.
  • Adjusted the useEffect logic to check for a non-empty token instead of key before initializing the synthesizer.
  • Updated the fetchSynthesizerData function to set the token field in synthesizerData instead of key. Minor formatting improvement was also made to the error logging.

Does this introduce a breaking change?

  • Yes
  • No

How to Test

  • Get the code
git clone [repo-address]
cd [repo-name]
git checkout [branch-name]
npm install

What to Check

Verify that the following are valid:

  • Speech synthesis works correctly with the new token-based setup.
  • No API key is visible in browser network calls.
  • Token is properly fetched from the backend and used on the frontend.
  • No functional regressions introduced in the chat or speech flow.

@Roopan-Microsoft Roopan-Microsoft merged commit 049836a into Azure-Samples:dev Jul 28, 2025
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Roopan-Microsoft Roopan-Microsoft Roopan-Microsoft approved these changes

@Avijit-Microsoft Avijit-Microsoft Awaiting requested review from Avijit-Microsoft Avijit-Microsoft is a code owner

@Prajwal-Microsoft Prajwal-Microsoft Awaiting requested review from Prajwal-Microsoft Prajwal-Microsoft is a code owner

@Fr4nc3 Fr4nc3 Awaiting requested review from Fr4nc3 Fr4nc3 is a code owner

@Vinay-Microsoft Vinay-Microsoft Awaiting requested review from Vinay-Microsoft Vinay-Microsoft is a code owner

@aniaroramsft aniaroramsft Awaiting requested review from aniaroramsft aniaroramsft is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Prasanjeet-Microsoft @Roopan-Microsoft