Any safe way to have a client-side app talk to OpenAI API directly?

I’m building an app that talks to the OpenAI API. It’s working nicely and am now looking at how to roll it out for release.

However since our app talks to openAI directly without our own server as an intermediary - it seems we need to store the API key on the client side (at least after authentication). I don’t currently see a way to do this without risking that one user inspects the memory or network calls, finds the API key, and proceeds to use it for whatever the AI-equivalent of bitcoin mining is.

Did I miss something, or is the only safe way to do this to have our own server acting as an intermediary between the client-side app and the OpenAI api?

Anyone have relevant experience here?

Hi!

Good thing you asked!

Your intuition here is correct, putting the API key into your app is a terrible idea.

The bad news is that OpenAI doesn’t offer this service. You need to set up at least a reverse proxy (probably with your favorite cloud provider) to forward requests to OpenAI.

Anyone have relevant experience here?

Typically people have more involved setups that require several backend steps, so that’s typically where the OpenAI connection also lives.

I haven’t tried it (and I’m not endorsing CloudFlare) but CF has a product called AI Gateway that might suit your needs.

If you have a rapsberry pi at home, that would do the job too. Slap wireguard on it to protect your identity and you should be good to go.

1 Like