You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Adds a security warning to the assistant API key section of the REST API introduction:
Don't expose the assistant API key directly in client-side code in production — anyone with it can consume credits and incur overages.
Proxy assistant API requests through your own backend to keep the key server-side.
Use the proxy layer to add rate limiting, authentication, and bot protection.
Requested in Slack by Lucas.
Note
Low Risk
Documentation-only change to API introduction; no runtime or authentication code is modified.
Overview
Adds a <Warning> block to the Assistant API key section in api/introduction.mdx so production guidance is visible next to the existing “public token” wording.
The warning says not to embed the assistant API key directly in client-side code, because extracted keys can burn credits and trigger overages. It recommends proxying assistant API calls through your backend with the key in a server-side env var, and using that layer for rate limiting, authentication, and bot protection.
Reviewed by Cursor Bugbot for commit 633b48e. Bugbot is set up for automated code reviews on this repo. Configure here.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds a security warning to the assistant API key section of the REST API introduction:
Requested in Slack by Lucas.
Note
Low Risk
Documentation-only change to API introduction; no runtime or authentication code is modified.
Overview
Adds a
<Warning>block to the Assistant API key section inapi/introduction.mdxso production guidance is visible next to the existing “public token” wording.The warning says not to embed the assistant API key directly in client-side code, because extracted keys can burn credits and trigger overages. It recommends proxying assistant API calls through your backend with the key in a server-side env var, and using that layer for rate limiting, authentication, and bot protection.
Reviewed by Cursor Bugbot for commit 633b48e. Bugbot is set up for automated code reviews on this repo. Configure here.