Stream a recording (signed-URL target)
The target of the 302 redirect from GET /calls/{callId}/recording.
You normally never construct this URL yourself — follow the redirect.
Auth is the signed token in the query string (HMAC-signed,
~15-minute expiry), not the Authorization header. Because a signed
link can outlive a kill switch, the issuing key and app are
re-validated on every request: key not revoked, app active, BAA still
signed, and the practice grant (with recordings:read) still present.
Revoked or ungranted access returns 401/403/404 even for an
unexpired token.
On success the audio bytes are streamed through server-side
(Content-Type: audio/mpeg, Cache-Control: private, no-store) —
the raw storage URL is never exposed. Expired tokens return
401 token_expired: request a fresh link via
GET /calls/{callId}/recording.
Query Parameters
Signed recording token issued by GET /calls/{callId}/recording.
Response
The recording audio.
The response is of type file.