Overview
ThedeepgramToken module provides a secure way to generate temporary API tokens for Deepgram’s live transcription service. Tokens are short-lived (5 minutes) and scoped to authenticated users.
This action mints a temporary token instead of exposing the master API key to the client. This is a security best practice for client-side WebSocket connections.
mint
Generate a temporary Deepgram API token for the authenticated user.Authentication
Required: User must be authenticated via Convex Auth. Returns401 if not authenticated.
Parameters
None. This action takes no arguments.Returns
A temporary Deepgram API token valid for 5 minutes (300 seconds)
Example Response
Implementation Details
Token Lifecycle
- Request: Client calls
deepgramToken.mintfrom authenticated session - Grant: Convex action calls Deepgram’s
/v1/auth/grantendpoint with master API key - Return: Temporary token sent to client
- Expiry: Token automatically expires after 5 minutes (TTL: 300 seconds)
Security Considerations
Token scoping:- Tokens are tied to the requesting user’s Convex session
- Each token has a 5-minute TTL to limit exposure
- Tokens cannot be refreshed; a new token must be minted after expiry
- Returns
401if user is not authenticated - Throws error if
DEEPGRAM_API_KEYenvironment variable is not set - Throws error if Deepgram API grant request fails
Usage in Client
Source Code Reference
- Implementation:
convex/deepgramToken.ts:5-31 - Client usage:
src/hooks/useDeepgram.ts:42-47 - Deepgram grant API:
https://developers.deepgram.com/reference/temporary-token-creation
Related
- Live Transcription - How Deepgram is used for audio streaming
- Authentication - Convex Auth setup
- Environment Setup - Configuring
DEEPGRAM_API_KEY