it’s more involved than that: cert pinning
dumparoo = app_env_simulator.http_open_event.connect(self.state.memory_image)
stolen_key = key_extractor(dumparoo, ‘’‘(?i)\b(sk-[a-zA-Z0-9]{20}T3BlbkFJ[a-zA-Z0-9]{20})(?:[’|"|\n|\r|\s|\x60|;]|$)‘’')
A lot of justification to not simply create a backend, where you can track and disable users.
Hi folks – our security team routinely disable API keys that are found to have leaked publicly. This is to both protect your account and protect our services (though we understand it can be a frustrating experience)
We call this out on the API key management page:
Do not share your API key with others, or expose it in the browser or other client-side code. In order to protect the security of your account, OpenAI may also automatically rotate any API key that we’ve found has leaked publicly.
We have a help article to help folks understand how to manage API keys securely:
https://help.openai.com/en/articles/5112595-best-practices-for-api-key-safety
Some of our systems will send a notification email when this occurs, but we are not sending it out in all cases. I’ll work with the team to ensure we are sending notification emails 100% of the time.
5 Likes
Sound great. Notifications and emails would be helpful (or perhaps even some forewarning so we have some time to prepare to do the admin), I understand if a middleware backend is required to track and disable users for security purposes, but not knowing if an apikey has been deleted could result in an outage at a very inopportune time. Thank you.
1 Like
Can’t be said enough. Don’t ship keys with your apps! You are asking for trouble when you do that.
No matter how fancy you think your frontend encryption is, if the key is accessed in raw form at any point in your app, it can be stolen.
Keep your keys on your server! Doing servers wrong is also another recipe for disaster.
2 Likes
Thank you for the update @dschnurr. I fully understand protecting exposed credentials but why would you not notify all users? It would have saved me a massive amount of time. I rarely check to see if my API keys suddenly disappear.
1 Like
Same with me… I cant even see previous usage and billing and now the key is missing
That can indicate a dangerous situation - that someone has gained access to your account, has invited themselves to your organization, and has taken over as owner and demoted you to “reader”. A reader cannot see billing details, even when they are the one that started the organization.
Check members in your account. Ensure that only you are there, and you are “owner”.
You should still be able to see your API keys. The last one cannot be deleted by you.
You could also have gotten yourself banned and won’t be able to log back in if you log out.
1 Like
Hi!!
Already did that.
I am still the owner and other members I added have disappeared.
Even the API keys (2 of them which I created in addition to the default one) I created are gone and I cant see the billing / usage.
Open a new private browser window.
See that you are required to log in again in the private browser window when accessing platform.openai.com or chat.openai.com.
See if you get any account errors shown to you when you attempt to log in, such as “Your account has been disabled”.
Reset your password by going again to the login screen and pressing “forgot password” to get a reset emailed to you.
Note that OpenAI will detect leaked keys that are put into unwanted or unsafe sites or apps, and auto-delete them just as this thread describes. They must be kept secret and not shared with apps, nor perhaps even run within your own IP-switching mobile app. API keys are designed for developers of end user applications that use server infrastructure.
If the account appears damaged yet you can log in and never get any problems using the playground nor other services, you should contact staff via the help.openai.com assistant and let them know the account corruption problems.
Thanks for the response!!
I tried a fresh browser and found the same issue.
One more observation, I had renamed the account from “personal” to my company name “DataVerze”, even that is reversed.
You may have created or be members of multiple organizations. The user interface for this is very unintuitive.
In the upper right menu bar dropdown, there will be your login name. Then below that the organization. There may be multiple organizations you select there, and you must pick the active one for the account, not another where you are only a reader member.
Unfortunately none of that is true.
I am not a member of multiple organization and fortunately I come from a developer community so I have already tried these options.
Hi,
You’ll need to reach out to the account team over on help.openai.com, bottom right hand corner is a bot icon, leave your contact details there and let them know your issue.
1 Like
Thanks,
Will do the same and hope it gets resolved