The trust boundary

A GPU worker is rented capacity. Handing it raw object URLs or storage credentials means trusting code you do not fully control with durable access to private data.

The safe boundary is to give the worker the least access that still lets it do the job.

How stream keys work

When a task needs private media, the runtime mints a short-lived key scoped to that job and proxies the asset through super-proxy.webtunel.com.

The worker receives a proxy URL and a stream key, never the original URL or bucket credentials.

Expiry and revocation

Keys carry a TTL and are revoked when a job is cancelled or a worker is considered unsafe.

Even a leaked key is useless after expiry and scoped to a single job while valid.