I’m not a bot, just fast.
It would be really impressive if it was a bot answer though.
You wrote that,
Which reads to me that while the API key is not hard-coded into your app, your app is retrieving it in order to make the API call from the users’ devices.
This is inherently unsafe.
The API key should never leave your control.
sequenceDiagram
participant Client as iOS App Client
participant Your_Server as Your Server
participant OpenAI_API as OpenAI API Server
Client->>Your_Server: Draft and Send message
Your_Server->>OpenAI_API: Forward message
OpenAI_API->>Your_Server: Generate and Return response
Your_Server->>Client: Forward response back to client
Your API key should only ever be communicated between your server and OpenAI’s server. If you ever send it to a client it will, with near-certainty become compromised.