I
Ido Havazelet
The public Voice AI chat-widget endpoint (services.leadconnectorhq.com/chat-widget/public/start-voice-ai-call/<agentId>) is currently exposed with effectively no abuse protection beyond a single IP-based rate limit. This puts every agency and sub-account owner who embeds a Voice AI widget on a public website at direct financial risk of token-drain attacks.
Evidence (reproduced today on a live sub-account widget):
  • The agent ID is visible in the page HTML — anyone can extract it in 5 seconds.
  • The endpoint accepts POST requests with no auth, no Origin check, and no Referer check. I confirmed this with raw curl from a server (no browser, no Flowi origin) — Origin: https://evil-site.com returned HTTP 201 with a valid LiveKit access token.
  • The only protection is a per-IP rate limit of ~7 calls per ~60 seconds. That's ~420 billable call-starts per hour from a single IP. A 100-IP rotating proxy = 42,000 calls/hour.
  • Each successful POST creates a billable call on the sub-account before any audio is exchanged.
  • Mic permission is enforced in the browser but is irrelevant to billing — the call is created server-side at POST time.
Impact
A single attacker with a bash loop and cheap residential proxies can drain a sub-account's voice token budget overnight. Agencies reselling Voice AI to clients have no in-platform tools to defend their margin or their clients' budgets. A single attack can churn a client and damage agency reputation. As Voice AI adoption grows, this is going to produce ugly support tickets and chargebacks.
Requested features (all configurable per widget):
  1. Domain allowlist (Origin/Referer enforcement) — Sub-account admin specifies which domains the widget can be embedded on. Requests from any other origin return 403. Should be the default, not opt-in.
  2. Built-in bot challenge before call starts — Native Cloudflare Turnstile, hCaptcha, or reCAPTCHA v3 integration. Toggleable per widget. The challenge runs before the start-voice-ai-call POST is allowed. This single feature would block 99% of automated drain attacks.
  3. Hard call caps — Configurable per widget:
  • Max calls per day (per widget)
  • Max calls per IP per day
  • Max calls per session
  • Max call duration (auto-end at N minutes — already exists in agent config but should be enforced server-side at the widget level too)
  1. Configurable rate limits — Let admins tighten the current ~7/min/IP default to e.g. 1/min/IP for production widgets. The current default is too permissive for most legitimate use cases.
  2. Spike alerts — Email/SMS the sub-account owner when daily call volume on a widget exceeds 2× the rolling 7-day average, or when 429 errors spike (a signal that someone is probing).
  3. Optional pre-call lead capture gate — Toggle to require name + phone/email before the call starts. Adds friction for bots and gives the agency a lead even if the call ends quickly.
  4. Per-widget audit log — Show recent calls with IP, country, origin domain, duration, and outcome. Lets agencies investigate suspicious patterns.
  5. Rotate widget/agent ID without rebuilding — Right now a leaked agent ID is permanent. Provide a one-click "rotate ID" that forces re-embed and invalidates old IDs.
Priority ranking if you can't ship all at once
If only one ships: #2 (CAPTCHA) — biggest blast-radius reduction for least friction.
Top 3: #2 CAPTCHA, #1 Origin allowlist, #3 Hard caps. Together these would close the abuse vector almost entirely.
Why this is urgent
Voice AI is the most expensive-per-call product in the GHL stack. The attack surface is also the most exposed (public widget on public domains). Right now there is no in-platform way for an agency to protect itself or its clients from a 30-minute scripted attack. Every other major voice-AI platform (Vapi, Retell direct, Bland) ships at least Origin allowlists and per-widget caps natively.