Api key is compromed all the time

Hello guys,
our api key is compromed all the time, we are changing api key, but then agin it got compromed.

We use a reverse proxy server for requests and do not show the key on the client. The api key has been reissued.

What can be the reason? Is it open ai side?

Is there any way to use only gpt 3.5 api that cost less? or to minimize the risks?

1 Like

Are you storing the key on client side? If it keeps getting leaked, it’s likely your code. If you can give more details, we might be able to help.

1 Like

Draw a network diagram of your application and where all code and data lives and gets deployed/transferred.
If the access key at any point is on a wire that heads towards a user, for any kind of request, then you will get a compromise.
This might be as part of a debugging log, as part of an error message (which can be deliberately provoked by attackers!) as part of downloaded configuration flags, and so on.

If none of that is happening, and you still see compromises, then someone inside your organization is doing it.

graph TD
    subgraph Client ["Client Application"]
        CID[("Customer ID\n(stored in client)")]

    subgraph Server ["Backend Server"]
        OAK[("OpenAI Key\n(stored in server)")]

    subgraph OpenAI ["OpenAI API"]
        API[("API Endpoints")]

    Client -->|Customer ID Token| Server
    Server -->|OpenAI Key| OpenAI

    classDef encrypted stroke-dasharray: 5, 5;
    class Client,Server,OpenAI encrypted;


This is how it should be, there is a good chance it’s not how it is.


Welcome @lysytskao

Also, make sure that you’re not hardcoding the API key in your code and pushing it to GitHub. Even if the code is inaccessible to the client, your API key will be revoked automatically if it’s present in any code on GitHub.

Use environment variables instead.


Yes, we are using best practices by open ai to secure api key, we have a server and we are using https

So this problem is on open ai side!

Yes, we are using best practices by open ai to secure api key, we have a server and we are using https

No one from our organization are using API key

So this problem is on open ai side!

Every time we’ve had our API key revoked it’s been because someone checked it in to GitHub and was found by a code scanner. If you’re storing your keys in something like a . env file make sure it’s in your .gitignore file

Thank you, we will check it out!

1 Like

That is very unlikely.

1 Like

Unfortunately, its open ai problem with api key revokes.

I propose incorporating an option to toggle between GPT-3.5 and GPT-4 models to minimize the impact.

Alternatively, implementing restrictions to ensure the API key is utilized solely by the designated source could mitigate these problems.

Also you can test chatgpt key, not api key, - to see the same problem.

I talk with our Team Lead, and he told me that we are using it.
Unfortunately, the problem is on open ai side((((((

That’s already implemented—in the form of an API key. Do you want an API key for your API key?

it doesn’t work still
, there some another problem on open ai side

Our app relies on an API key, but when it’s revoked, all requests suddenly come from the GPT-4 model within a short span of time.

I have no idea what you’re doing, or what you think you’re doing, but whatever problems you’re having are almost certainly your own doing.

The only thing focusing your attention in OpenAI will do is delay finding the flaw in your process.

Alright, we’ve included the Facebook AI key as an alternative, which eliminates any revocation issues.
What specific information do you need from me to confirm that this is an OpenAI problem?
I’m here to seek a solution or explore other options for utilizing the GPT key without facing revocation. My aim is to find a solution. Given GPT’s superior quality, it’s our preference for serving our customers with GPT.

You could try copying down on paper, instead of copying to clipboard, in case your development PC is compromised and there is maybe regex sniffing your clipboard for sk-…

Or your server has a vulnerability where somene can read the env vars

1 Like

Evidence this is an OpenAI problem to start?

Your entire problem here is instead of looking for what the problem is you’re looking for ways to show it’s not a problem of your own making.

Your API keys are not compromised on OpenAI’s end. Full stop.