AxioRankDocs

Voice agents (Realtime API)

Govern the tool calls and output of an OpenAI Realtime voice agent with the same policy, risk scoring, and audit trail as any other agent.

A voice agent built on the OpenAI Realtime API keeps a live WebSocket open and calls tools mid-conversation. Those tool calls are the same security surface AxioRank already governs for text agents, so createRealtimeGuard maps each one to the same policy engine, risk scoring, audit trail, approvals, and multi-step kill-chain correlation.

It is transport-agnostic. You own the socket (WebSocket, WebRTC data channel, or a server-side sideband connection); the guard just needs each server event.

Install

npm install @axiorank/sdk

Guard a session

import { AxioRank } from "@axiorank/sdk";
import { createRealtimeGuard } from "@axiorank/sdk/realtime";

const axio = new AxioRank({ apiKey: process.env.AXIORANK_KEY! });
const guard = createRealtimeGuard(axio, { sessionId });

ws.on("message", async (raw) => {
  const event = JSON.parse(raw.toString());
  const verdict = await guard.onServerEvent(event);

  // On a denied function call, send the block back so the tool never runs.
  for (const ev of verdict.send) ws.send(JSON.stringify(ev));

  if (verdict.kind === "function_call" && verdict.decision === "allow") {
    // run the tool, then send your own function_call_output
  }
});

What gets governed

Function tools (preventive). When the model asks to run a function, OpenAI emits response.function_call_arguments.done. The guard scores it before your app executes anything. On a deny it returns a function_call_output carrying the block plus a response.create, so the model gets a blocked result and continues gracefully. The action never fires.

Output (detective). The guard inspects the model's output transcript (response.output_audio_transcript.done) for leaked secrets and PII.

In a live voice call the audio has already streamed by the time a transcript is final, so an output finding is audited and alerted, not un-said. Wire onOutputLeak to route it into your incident flow. Use inspectOutput: false to turn it off.

MCP tools (already covered). If your realtime session attaches an mcp tool whose server_url points at your AxioRank MCP gateway, those calls are inspected server-side today, with no extra code. createRealtimeGuard governs the function tools your own app executes.

Options

OptionDefaultWhat it does
sessionIdnoneGroups this call with its siblings on the Agent Runs page.
inspectOutputtrueInspect output transcripts for secret/PII leakage.
outputTool"realtime.output"Tool name recorded for output inspection.
onOutputLeaknoneCalled when output DLP flags a leak in what the agent said.
metadatanoneTags merged onto every governed call (for example your end-user id).

The whole conversation is one AxioRank run, and governance inherits your client's outage posture, so a gateway blip never silently halts a call unless you configured fail_closed.

On this page