Short Lived Restrictive API Keys

Hey there, Good day! I am building an app that will need to access your services on the client. However, I would rather not leak my API keys there. Besides deploying this part of the infra to the edge. I was thinking that it would be great to expose short-lived restricted api keys to the client. Do you have such functionality, or do I need to implement it by hand? Example: Api key for a specific response session with an expiration of 1 hour and only specific model access (only gpt 5 mini) and a specific user (via IP or GEO location) optional. The client would then make requests directly to the OpenAI API (saving bandwidth). Using the new WebSocket response API I believe this would be even better for load times and speed