暫時性權杖是短期驗證權杖,可透過 WebSockets 存取 Gemini API。這類金鑰的設計宗旨,是在您從使用者裝置直接連線至 API 時 (用戶端對伺服器的實作方式),提升安全性。與標準 API 金鑰一樣,您可以從網路瀏覽器或行動應用程式等用戶端應用程式擷取臨時權杖。但由於臨時權杖很快就會過期,且可受到限制,因此能大幅降低生產環境中的安全風險。
臨時權杖的運作方式
暫時性權杖的大致運作方式如下:
您的用戶端 (例如網頁應用程式) 會向後端進行驗證。
後端向 Gemini API 的佈建服務要求臨時權杖。
Gemini API 會核發短期權杖。
後端會將權杖傳送至用戶端,以建立 WebSocket 連線至 Live API。方法是將 API 金鑰換成臨時權杖。
接著,用戶端會將權杖視為 API 金鑰使用。
這樣做可提升安全性,因為即使權杖遭到擷取,有效時間也不長,不像部署在用戶端的長期有效 API 金鑰。由於用戶端會直接將資料傳送至 Gemini,因此也能縮短延遲時間,避免後端需要代理即時資料。
建立暫時性權杖
以下是從 Gemini 取得臨時權杖的簡化範例。
根據預設,您有 1 分鐘的時間,可使用這項要求 (newSessionExpireTime) 中的權杖啟動新的 Live API 工作階段,並有 30 分鐘的時間,可透過該連線傳送訊息 (expireTime)。
Python
importdatetimenow=datetime.datetime.now(tz=datetime.timezone.utc)client=genai.Client(http_options={'api_version':'v1alpha',})token=client.auth_tokens.create(config={'uses':1,# The ephemeral token can only be used to start a single session'expire_time':now+datetime.timedelta(minutes=30),# Default is 30 minutes in the future# 'expire_time': '2025-05-17T00:00:00Z', # Accepts isoformat.'new_session_expire_time':now+datetime.timedelta(minutes=1),# Default 1 minute in the future'http_options':{'api_version':'v1alpha'},})# You'll need to pass the value under token.name back to your client to use it
JavaScript
import{GoogleGenAI}from"@google/genai";constclient=newGoogleGenAI({});constexpireTime=newDate(Date.now()+30*60*1000).toISOString();consttoken:AuthToken=awaitclient.authTokens.create({config:{uses:1,// The defaultexpireTime:expireTime// Default is 30 minsnewSessionExpireTime:newDate(Date.now()+(1*60*1000)),// Default 1 minute in the futurehttpOptions:{apiVersion:'v1alpha'},},});
client=genai.Client(http_options={'api_version':'v1alpha',})token=client.auth_tokens.create(config={'uses':1,'live_connect_constraints':{'model':'gemini-2.0-flash-live-001','config':{'session_resumption':{},'temperature':0.7,'response_modalities':['TEXT']}},'http_options':{'api_version':'v1alpha'},})# You'll need to pass the value under token.name back to your client to use it
JavaScript
import{GoogleGenAI}from"@google/genai";constclient=newGoogleGenAI({});constexpireTime=newDate(Date.now()+30*60*1000).toISOString();consttoken=awaitclient.authTokens.create({config:{uses:1,// The defaultexpireTime:expireTime,liveConnectConstraints:{model:'gemini-2.0-flash-live-001',config:{sessionResumption:{},temperature:0.7,responseModalities:['TEXT']}},httpOptions:{apiVersion:'v1alpha'}}});// You'll need to pass the value under token.name back to your client to use it
import{GoogleGenAI,Modality}from'@google/genai';// Use the token generated in the "Create an ephemeral token" section hereconstai=newGoogleGenAI({apiKey:token.name});constmodel='gemini-2.0-flash-live-001';constconfig={responseModalities:[Modality.TEXT]};asyncfunctionmain(){constsession=awaitai.live.connect({model:model,config:config,callbacks:{...},});// Send content...session.close();}main();
[[["容易理解","easyToUnderstand","thumb-up"],["確實解決了我的問題","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["缺少我需要的資訊","missingTheInformationINeed","thumb-down"],["過於複雜/步驟過多","tooComplicatedTooManySteps","thumb-down"],["過時","outOfDate","thumb-down"],["翻譯問題","translationIssue","thumb-down"],["示例/程式碼問題","samplesCodeIssue","thumb-down"],["其他","otherDown","thumb-down"]],["上次更新時間:2025-08-22 (世界標準時間)。"],[],[],null,["# Ephemeral tokens are short-lived authentication tokens for accessing the Gemini\nAPI through [WebSockets](https://developer.mozilla.org/en-US/docs/Web/API/WebSockets_API). They are designed to enhance security when\nyou are connecting directly from a user's device to the API (a\n[client-to-server](/gemini-api/docs/live#implementation-approach)\nimplementation). Like standard API keys, ephemeral tokens can be extracted from\nclient-side applications such as web browsers or mobile apps. But because\nephemeral tokens expire quickly and can be restricted, they significantly reduce\nthe security risks in a production environment.\n| **Note:** Ephemeral tokens are only compatible with [Live API](/gemini-api/docs/live) at this time. You should use them when accessing the Live API directly from client-side applications to enhance API key security.\n\nHow ephemeral tokens work\n-------------------------\n\nHere's how ephemeral tokens work at a high level:\n\n1. Your client (e.g. web app) authenticates with your backend.\n2. Your backend requests an ephemeral token from Gemini API's provisioning service.\n3. Gemini API issues a short-lived token.\n4. Your backend sends the token to the client for WebSocket connections to Live API. You can do this by swapping your API key with an ephemeral token.\n5. The client then uses the token as if it were an API key.\n\nThis enhances security because even if extracted, the token is short-lived,\nunlike a long-lived API key deployed client-side. Since the client sends data\ndirectly to Gemini, this also improves latency and avoids your backends needing\nto proxy the real time data.\n\nCreate an ephemeral token\n-------------------------\n\nHere is a simplified example of how to get an ephemeral token from Gemini.\nBy default, you'll have 1 minute to start new Live API sessions using the token\nfrom this request (`newSessionExpireTime`), and 30 minutes to send messages over\nthat connection (`expireTime`). \n\n### Python\n\n import datetime\n\n now = datetime.datetime.now(tz=datetime.timezone.utc)\n\n client = genai.Client(\n http_options={'api_version': 'v1alpha',}\n )\n\n token = client.auth_tokens.create(\n config = {\n 'uses': 1, # The ephemeral token can only be used to start a single session\n 'expire_time': now + datetime.timedelta(minutes=30), # Default is 30 minutes in the future\n # 'expire_time': '2025-05-17T00:00:00Z', # Accepts isoformat.\n 'new_session_expire_time': now + datetime.timedelta(minutes=1), # Default 1 minute in the future\n 'http_options': {'api_version': 'v1alpha'},\n }\n )\n\n # You'll need to pass the value under token.name back to your client to use it\n\n### JavaScript\n\n import { GoogleGenAI } from \"@google/genai\";\n\n const client = new GoogleGenAI({});\n const expireTime = new Date(Date.now() + 30 * 60 * 1000).toISOString();\n\n const token: AuthToken = await client.authTokens.create({\n config: {\n uses: 1, // The default\n expireTime: expireTime // Default is 30 mins\n newSessionExpireTime: new Date(Date.now() + (1 * 60 * 1000)), // Default 1 minute in the future\n httpOptions: {apiVersion: 'v1alpha'},\n },\n });\n\nFor `expireTime` value constraints, defaults, and other field specs, see the\n[API reference](https://ai.google.dev/api/live#ephemeral-auth-tokens).\nWithin the `expireTime` timeframe, you'll need\n[`sessionResumption`](/gemini-api/docs/live-session#session-resumption) to\nreconnect the call every 10 minutes (this can be done with the same token even\nif `uses: 1`).\n\nIt's also possible to lock an ephemeral token to a set of configurations. This\nmight be useful to further improve security of your application and keep your\nsystem instructions on the server side. \n\n### Python\n\n client = genai.Client(\n http_options={'api_version': 'v1alpha',}\n )\n\n token = client.auth_tokens.create(\n config = {\n 'uses': 1,\n 'live_connect_constraints': {\n 'model': 'gemini-2.0-flash-live-001',\n 'config': {\n 'session_resumption':{},\n 'temperature':0.7,\n 'response_modalities':['TEXT']\n }\n },\n 'http_options': {'api_version': 'v1alpha'},\n }\n )\n\n # You'll need to pass the value under token.name back to your client to use it\n\n### JavaScript\n\n import { GoogleGenAI } from \"@google/genai\";\n\n const client = new GoogleGenAI({});\n const expireTime = new Date(Date.now() + 30 * 60 * 1000).toISOString();\n\n const token = await client.authTokens.create({\n config: {\n uses: 1, // The default\n expireTime: expireTime,\n liveConnectConstraints: {\n model: 'gemini-2.0-flash-live-001',\n config: {\n sessionResumption: {},\n temperature: 0.7,\n responseModalities: ['TEXT']\n }\n },\n httpOptions: {\n apiVersion: 'v1alpha'\n }\n }\n });\n\n // You'll need to pass the value under token.name back to your client to use it\n\nYou can also lock a subset of fields, see the [SDK documentation](https://googleapis.github.io/python-genai/genai.html#genai.types.CreateAuthTokenConfig.lock_additional_fields)\nfor more info.\n\nConnect to Live API with an ephemeral token\n-------------------------------------------\n\nOnce you have an ephemeral token, you use it as if it were an API key (but\nremember, it only works for the live API, and only with the `v1alpha` version of\nthe API).\n\nNote that use of ephemeral tokens only adds value when deploying applications\nthat follow [client-to-server implementation](/gemini-api/docs/live#implementation-approach) approach. \n\n### JavaScript\n\n import { GoogleGenAI, Modality } from '@google/genai';\n\n // Use the token generated in the \"Create an ephemeral token\" section here\n const ai = new GoogleGenAI({\n apiKey: token.name\n });\n const model = 'gemini-2.0-flash-live-001';\n const config = { responseModalities: [Modality.TEXT] };\n\n async function main() {\n\n const session = await ai.live.connect({\n model: model,\n config: config,\n callbacks: { ... },\n });\n\n // Send content...\n\n session.close();\n }\n\n main();\n\n| **Note:** If not using the SDK, note that ephemeral tokens must either be passed in an `access_token` query parameter, or in an HTTP `Authorization` prefixed by the [auth-scheme](https://datatracker.ietf.org/doc/html/rfc7235#section-2.1) `Token`.\n\nSee [Get started with Live API](/gemini-api/docs/live) for more examples.\n\nBest practices\n--------------\n\n- Set a short expiration duration using the `expire_time` parameter.\n- Tokens expire, requiring re-initiation of the provisioning process.\n- Verify secure authentication for your own backend. Ephemeral tokens will only be as secure as your backend authentication method.\n- Generally, avoid using ephemeral tokens for backend-to-Gemini connections, as this path is typically considered secure.\n\nLimitations\n-----------\n\nEphemeral tokens are only compatible with [Live API](/gemini-api/docs/live) at this time.\n\nWhat's next\n-----------\n\n- Read the Live API [reference](https://ai.google.dev/api/live#ephemeral-auth-tokens) on ephemeral tokens for more information."]]
