How to access files with anti-leech

[maketesteasier]

Which Deepgram product are you using?

Deepgram API

Details

Hi, I have all my audio files on Aliyun object storage service. Because I do not want my users to download my audio files, I turned on anti-leech service. However, deepgram cannot access my audio files in this way. In order to put deepgram into the white list on Aliyun OSS, I need a referer when I am trying to access files on my OSS with this: https://api.deepgram.com/v1/listen. Can you tell me at what value should I set the referer in this case?

If you are making a request to the Deepgram API, what is the full Deepgram URL you are making a request to?

No response

If you are making a request to the Deepgram API and have a request ID, please paste it below:

No response

If possible, please attach your code or paste it into the text box.

No response

If possible, please attach an example audio file to reproduce the issue.

No response

[lukeocodes]

When fetching files by URL, the request includes a dg-token header. This contains the ID of the API key (not the key itself), which you can view in the console.

[maketesteasier]

so the value of the referer should be that id, right? I did not find any id in my dashboard. I just found a project id.

[jjmaldonis]

Hey @maketesteasier, I found this in Aliyun OSS's documentation:

On the Hotlink Protection page for the bucket, select No for the Allow Empty Referer option, and add the allowed domain names to the Referer whitelist:
To allow domain names that start with http://help.example.com to access the bucket, add http://help.example.com to the Referer whitelist. OSS checks the Referer field by matching the URL prefix. For example, if you add only http://help.example.com/index.html to the Referer whitelist, domain names that do not start with http://help.example.com/index.html, such as http://help.example.com/logo.html, cannot access the bucket.

Based on this, you can add the following two URL prefixes as referers in Aliyun OSS and that should whitelist Deepgram's API responses:
wss://api.deepgram.com
https://api.deepgram.com

[maketesteasier]

Hi, I set No for the Allow Empty Referer option, and put wss://api.deepgram.com
https://api.deepgram.com/ in the list. The thing is deepgram does not use any referer in trying to access the data as shown in the pic: so the access will still be denied.

[jjmaldonis]

Hey @maketesteasier I just talked to the team and what you said is correct. The referer field is not set because it can be spoofed (i.e. an attacker could set that value to anything they want). For that reason, the best way to authenticate the request is to check the dg-token header. The value of this header parameter is the ID of your API key (not the API key itself), which is effectively a secret that only you and Deepgram know.