Hi, I keep getting my money spent from api-keys that I can’t find in the interface. some of the chats in the logs are also super inappropiate. I have blocked / deleted all existing keys. set up a new project with new keys and I still see activity that doesn’t match the new keys.
Can someone please help me, I can’t find any support form, so I’m trying here.
What doesn’t need any keys: The Prompt Playground site.
How can you “see” inappropriate things: the default of “store” being used, or assistants threads.
Who’d be able to get in? Anyone that can discover your login, or can use your authentication method.
Solution, change passwords.
Log out all. (also showing where those user keys are)
When you are forced to log back in, you can choose a forgot password option, and (if it works) have that password change request sent to email if it is an OpenAI password you use.
The pattern doesn’t match, but you can also check “members” of your organization.
You can also check members of your real organization or household, the time of logged requests.
Or you can be silly: keep putting keys back into an app with a flawed security pattern.
I agree it is silly to add back keys to a broken app. but neither the old nor the new keys are causing the traffic. The api-keys that are abusing my money are unknown to me, I have two keys - all the old keys are deleted and I still see traffic both in logs and in usage from these unknown keys.
Have you checked both legacy api-keys and project keys?
Also check if you have conceded access to other members.
Another option is to check your organization activity logs, there you can see it if comes from the playground or another origin (you may have to take a look into both the legacy activity log and the new usage log).
thank you for the links, I looked and found no other members - no other keys. but what I can see is that the keys that are abusing my money are the old type, not the new longer ones.
Does the key you see start with “sk-”
or is it an internal representation that does not reveal API keys but has a “key_1234” pattern and they all do?
The platform site uses a session token that is logged, not an API key.
Also, your app should have facility where you can search to see who sent “super inappropriate” through either customer ID portal or by the actual API call log if originating in any manner by normal user app input, or by a way of getting into your backend sideways.
Do they keys change over time or are they always the same?
key_Gk…
key_nN…
key_IS…
but the abuse has stopped since I posted here… I will keep checking - but hopefully whatever it was it is over…
thank you for your advices - I am sure others might benefit from this thread