Hey,
yesterday we started seeing our sora-2 and sora-2-pro API usage skyrocket.
After investigating, we found that our sora-2 credits are being depleted even with all API keys disabled and no “Last used” key being identified for the day.
It seems like this is an issue on OpenAI’s side.
Is there a way to block sora-2 completely from being consumed by API?
View “user keys”, formerly a ‘master organization’ key that could be also assigned to consume from another organization per API call:
https://platform.openai.com/settings/profile/api-keys
Besides clearing them all and leaving a new one never copied out, you also have a setting in the platform site to disable user keys.
Review “people” (aka, team, aka members, etc) https://platform.openai.com/settings/organization/people - anyone there can make usage against your org.
In projects, (where again there is 'disallow user keys", “members”), then go limits to “allow” only models you are calling. For each project. Don’t trust the overview link for API keys, go into each project.
Check archived projects, a place where the abuse might have been happening and then removed from your view.
If you cannot resolve and stop the usage, you must consider your account or app platform compromised, needing full credential reset. Sora-2 on ID verified orgs is an obvious high-value asset to exploit and a high indication that the abuse is intentional.