Abstract

Every widely-copied "connect a phone call to a realtime LLM" sample — Twilio Media Streams bridged into OpenAI Realtime, and the many forks of it — ships an application WebSocket endpoint (commonly /media-stream or /api/voice/stream) that accepts any upgrade request that knows the path. The telephony provider connects to that socket out-of-band, over the public internet, carrying no bearer credential. An attacker who learns or guesses the path can open the same socket and drive a paid realtime-inference session on the victim's account: classic toll-fraud and premium-resource abuse. This publication discloses a fail-closed trust chain that closes the hole without introducing a stateful session store or a second identity provider. Trust is anchored at the provider's per-request webhook HMAC signature — the one cryptographic fact the platform already possesses. The verified answer webhook mints a short-TTL, HMAC-SHA256 token bound to the specific call identifier, and embeds it as a query parameter in the

Creative Commons License

Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 License.

Share

COinS