Never expose your Runway API secret (RUNWAYML_API_SECRET) to the client.
This SDK is designed with a server-client architecture:
- Your server holds the API secret and creates sessions via
@runwayml/sdk - Your client receives only the session credentials (token, URL) needed for WebRTC connection
The session token is short-lived and scoped to a single session, making it safe to send to the client.
If you discover a security vulnerability:
- Do not open a public GitHub issue
- Email security@runwayml.com with details