Skip to content

LiveKitAPI entrypoint, ability to use a token instead of api key/secret#695

Merged
davidzhao merged 6 commits into
mainfrom
dz/livekitapi
Jul 7, 2026
Merged

LiveKitAPI entrypoint, ability to use a token instead of api key/secret#695
davidzhao merged 6 commits into
mainfrom
dz/livekitapi

Conversation

@davidzhao

@davidzhao davidzhao commented Jul 4, 2026

Copy link
Copy Markdown
Member
  • added a LiveKitAPI class to reduce overhead of accessing services
  • ability to use token based auth instead of requiring API key/secret
  • full api smoke tests to ensure correct token permissions, request encoding
  • added SIPCallError
  • renamed error class to ServerError

- added a LiveKitAPI class to reduce overhead of accessing services
- ability to use token based auth instead of requiring API key/secret
- comprehensive api testing
- added SIPCallError
@changeset-bot

changeset-bot Bot commented Jul 4, 2026

Copy link
Copy Markdown

🦋 Changeset detected

Latest commit: 2d635fc

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 2 packages
Name Type
livekit-server-sdk Minor
agent-dispatch Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@davidzhao davidzhao requested review from 1egoman and lukasIO July 4, 2026 19:48

@devin-ai-integration devin-ai-integration Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no bugs or issues to report.

Open in Devin Review

devin-ai-integration[bot]

This comment was marked as resolved.

devin-ai-integration[bot]

This comment was marked as resolved.

The generated src/version.ts tripped the REUSE license check (no SPDX header)
and Prettier, and committing it isn't the repo convention — livekit-rtc
gitignores its generated version.ts. Gitignore and prettier-ignore it, untrack
it, and have the Test API workflow run `prebuild` to generate it before the
tests (the main CI test job already builds first, which generates it). Also fix
import ordering in TwirpRPC.test.ts.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
LiveKitAPI fell back to process.env.LIVEKIT_TOKEN unconditionally, so a token in
the environment silently shadowed an explicitly passed apiKey/secret (authHeader
sends a token verbatim, skipping signing). Only fall back to LIVEKIT_TOKEN when
no explicit credentials were given, and add a regression test.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Comment thread packages/livekit-server-sdk/src/LiveKitAPI.ts Outdated
Comment thread packages/livekit-server-sdk/src/LiveKitAPI.ts Outdated
Comment thread packages/livekit-server-sdk/src/LiveKitAPI.ts Outdated
Comment on lines 55 to +59
async authHeader(grant: VideoGrant, sip?: SIPGrant): Promise<Record<string, string>> {
// A pre-signed token is sent verbatim; the caller is responsible for its grants.
if (this.token) {
return { Authorization: `Bearer ${this.token}` };
}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggestion: It might be nice to expose here some sort of event the caller can use to determine if the token is expired or not. And if it is expired, then give the caller the ability to potentially regenerate it before actually making the API request.

This sets the stage well for a future TokenSource type integration (once that is officially added to node) nicely.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

see reply the Rust SDK PR.

I would like the server to the be the authority on token validity, instead of the client. making validity decisions on the client relies on having a correct client clock. I don't think that's a good idea.

@davidzhao

Copy link
Copy Markdown
Member Author

@lukasIO @1egoman feedback addressed, PTAL

* falls back to its environment variable (`LIVEKIT_URL`, `LIVEKIT_API_KEY`,
* `LIVEKIT_API_SECRET`, `LIVEKIT_TOKEN`).
*/
export type LiveKitAPIOptions = LiveKitAPICommonOptions & (ApiKeyAuth | TokenAuth);

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice!

@davidzhao davidzhao merged commit a04fabf into main Jul 7, 2026
14 checks passed
@davidzhao davidzhao deleted the dz/livekitapi branch July 7, 2026 16:42
@github-actions github-actions Bot mentioned this pull request Jul 7, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants