API key permissions not working correctly

I am organisation owner/admin. In https://platform.openai.com/settings/organization/api-keys I created a new key, gave it permissions I require, but the permissions do not work.

Requests from the new key I created with the correct permissions fail every time with an insufficient permissions error (detail below).

We have an old key which actually has less expansive permissions which works with the exact same request script. Screenshots:

New key permissions which don’t work:

image523×963 20 KB

Old working key permissions:

image536×956 19.2 KB

When I run this test script with the old key, I get the expected response:

from openai import OpenAI

import os

# OpenAI API test

client = OpenAI(

    api_key=os.environ.get("OPENAI_API_KEY"),

)




chat_completion = client.chat.completions.create(

    messages=[

        {

            "role": "user",

            "content": "Say it's working!!!!",

        }

    ],

    model="gpt-4o-mini",

    temperature=1

)

chat_completion_message = chat_completion.choices[0].message.content

print(chat_completion_message)

When I run the exact same prompt with the new key, despite it having the exact same permissions for that endpoint, I get this error:

AuthenticationError: Error code: 401 - {‘error’: {‘message’: “You have insufficient permissions for this operation. Missing scopes: model.request. Check that you have the correct role in your organization (Reader, Writer, Owner) and project (Member, Owner), and if you’re using a restricted API key, that it has the necessary scopes.”, ‘type’: ‘invalid_request_error’, ‘param’: None, ‘code’: None}}

Hi and welcome back!

Have you seen this topic where a related issue has been discussed?
I believe this problem could also be caused by the UI/UX.

wow…yes that worked. I would never have guessed the problem was a UI design issue at https://platform.openai.com/settings/organization/api-keys

In other words for anyone who encounters this issue and finds this post, if you do this:

set all model capabilities to ‘request’ by hitting here:

image666×145 6.05 KB

and then turn off the ones you don’t want (e.g. like this I’ve turned off moderations:

image511×403 11.1 KB

then it works.

Given the initial error response mentioned an option which isn’t under the heading ‘model capabilities’, I suspect this works because initially setting model capabilitites to ‘request’ sets that hidden item to ‘request’, so that when you turn off the ones you don’t want and model capabilities goes back to ‘mixed’, you have changed the problematic item even though the UI looks exactly the same after the change as it did in my initial screenshot of the broken config.

Specifically, I think model.request is the hidden item given that’s what the error message said this key didn’t have permissions for until I changed ‘model capabilities’ to request, then turned off the ones I don’t want.

For the avoidance of doubt, the UI looks exactly the same now as it did when the config was broken. It’s just the hidden item that has changed.

Wow.

I’m glad that worked!
Will ping the team to get this fixed.

thank you. There’s never just 1 cockroach so if they find that model.request is in fact secretly toggled on by setting model capabilities to “request”, they should check for other items which may unintentially be set to request by that action. You wouldn’t want keys being allocated permissions the user didn’t ask for…