API Limits & Tracking (Exposed Keys?)

I’ve only used about $10/month in OpenAI API credits since I started testing it. Then suddenly, Soft Limit hit. HARD LIMIT HIT!

My account spent $50 overnight and I panicked. Rushed to my OpenAI account settings but couldn’t find any way to sort or differentiate between API keys so I’ve got absolutely no way of tracking down what may have happened.

A few questions:

(1) Should I delete all my API keys and start fresh, assuming one of my keys was exposed/exploited?
(2) Is it possible a script/bot pummeled a public input field on my site, costing me API credits even though my server/site was never prepared to handle them properly?
(3) Should I limit front-end API activities to logged-in users only?

Implement some very basic API tracking so we can perform a minimal amount of troubleshooting when problems arise. The more the better but ANYTHING would be helpful at this point.

Worth noting: I’m not a developer and ChatGPT helped me write all the code I’ve used for Wordpress plugins and code chunks, so when you boil it all down, I’m expecting most of this to be a user error issue (me).

Thanks in advance for your help!

Hello, I would advise you to create new API keys and go from there. Depending on what your API is being used for you may want to also make it only available for logged in users.

1 Like

Welcome to the community @robj

If you believe your API keys for a particular org are compromised, you should immediately revoke them and then start rotating keys on secured systems.

Never include your keys in the client-side code.

Only logged-in users on your application should have access as stated in safety best practices.


Are you hitting the API on the server side not the front-end? What language is the API code in? PHP or javascript? Sounds like you have a leak somewhere. I would reset all the keys one by one and make sure you have the leak plugged.


I deleted all my keys and eventually found the culprit.

Sadly, I’ve just created new keys and re-submit them into my previous code, but they’re not working. Now I’m wondering:

(1) Does it take time for newly generated API keys to start working?
(2) Are the old APIs deprecated or should they still work?

Annnd I just realized when my billing limit was surpassed, I never changed it.

I just upped it but still getting errors. Guessing that’s got a delay…