Feature Request: PII-safe room names for Individual / Callee dispatch rules
Summary
SIPDispatchRuleIndividual (and SIPDispatchRuleCallee) always encode the caller's
phone number into the generated room name — the documented format is
<room_prefix><caller_number><random_suffix>. There is currently no way to suppress
the phone-number component while still getting a unique room per call.
This makes the room name carry PII (the caller's phone number) by default, which is
problematic for any system that logs, exports, or surfaces room names (dashboards,
analytics, webhooks, recordings metadata, support tooling, etc.).
Why this matters
-
Room names frequently end up in logs, metrics labels, recording filenames, and
third-party tooling that has a different (often broader) retention/access policy
than the call data itself.
-
Treating the room identifier as PII forces extra redaction/scrubbing infrastructure
downstream, or pushes teams off the Individual rule entirely.
-
LiveKit's own guidance already discourages encoding caller info in the room name —
see #450, where @dennwc notes:
"Although I understand that having information in the room name might sound
compelling, we usually advocate against it. … Participant attributes … already
expose all the required information."
Today the Individual rule does exactly what the maintainers advocate against, with
no opt-out. The canonical data (sip.phoneNumber, sip.trunkPhoneNumber) is already
available via participant attributes, so the number does not need to live in the room
name.
Proposed solution
Add an opt-in flag on SIPDispatchRuleIndividual (and optionally
SIPDispatchRuleCallee) to omit the caller number from the generated room name while
preserving per-call uniqueness via the random suffix. For example:
message SIPDispatchRuleIndividual {
string room_prefix = 1;
string pin = 2;
bool no_randomness = 3;
bool omit_caller_id = 4; // when true: room name is <room_prefix><random_suffix>, no phone number
}Resulting room name with omit_caller_id = true: <room_prefix><random_suffix>
(no PII; still unique per call). The caller/callee numbers remain available through
participant attributes as they are today.
Alternatives considered
- Explicit dispatch /
createSipParticipant with a self-generated room name. This
works and is our current fallback, but it requires bypassing the dispatch-rule
auto-creation path and reimplementing room minting, which is exactly the convenience
the Individual rule is supposed to provide.
hide_phone_number — this controls the participant identity, not the room name,
so it does not address this.
References
Feature Request: PII-safe room names for Individual / Callee dispatch rules
Summary
SIPDispatchRuleIndividual(andSIPDispatchRuleCallee) always encode the caller'sphone number into the generated room name — the documented format is
<room_prefix><caller_number><random_suffix>. There is currently no way to suppressthe phone-number component while still getting a unique room per call.
This makes the room name carry PII (the caller's phone number) by default, which is
problematic for any system that logs, exports, or surfaces room names (dashboards,
analytics, webhooks, recordings metadata, support tooling, etc.).
Why this matters
Room names frequently end up in logs, metrics labels, recording filenames, and
third-party tooling that has a different (often broader) retention/access policy
than the call data itself.
Treating the room identifier as PII forces extra redaction/scrubbing infrastructure
downstream, or pushes teams off the Individual rule entirely.
LiveKit's own guidance already discourages encoding caller info in the room name —
see #450, where @dennwc notes:
Today the Individual rule does exactly what the maintainers advocate against, with
no opt-out. The canonical data (
sip.phoneNumber,sip.trunkPhoneNumber) is alreadyavailable via participant attributes, so the number does not need to live in the room
name.
Proposed solution
Add an opt-in flag on
SIPDispatchRuleIndividual(and optionallySIPDispatchRuleCallee) to omit the caller number from the generated room name whilepreserving per-call uniqueness via the random suffix. For example:
Resulting room name with
omit_caller_id = true:<room_prefix><random_suffix>(no PII; still unique per call). The caller/callee numbers remain available through
participant attributes as they are today.
Alternatives considered
createSipParticipantwith a self-generated room name. Thisworks and is our current fallback, but it requires bypassing the dispatch-rule
auto-creation path and reimplementing room minting, which is exactly the convenience
the Individual rule is supposed to provide.
hide_phone_number— this controls the participant identity, not the room name,so it does not address this.
References