Discussions

Hi support team...thanks for being here.

I'm trying to embed a HeyGen interactive avatar using the LiveKit Streaming API on a site deployed via Vercel (Next.js).

I've confirmed the API token is valid, and I can see the avatar container loads. However, I'm getting this error: Refused to connect to 'https://api.heygen.com/v1/streaming.new' because it violates the following Content Security Policy directive: "default-src 'self'".

My connect-src CSP directive includes: connect-src 'self' https://api.heygen.com https://livekit.heygen.com wss://livekit.heygen.com;

My questions:

Can you confirm the exact domains and protocols (including WebSockets) that need to be whitelisted in connect-src for both the Streaming API and the WebSocket connection to LiveKit?

Is there an official list of CSP requirements or recommended settings for production deployments on Vercel or similar hosts?

Do any other domains (e.g. for TURN/STUN servers or media relay) need to be included?

Thanks so much for your help...we’re excited to get this experience live and would love to ensure it's set up securely and correctly!