Hello, I’m looking to create an app using the completions API. It’s pretty straightforward to get it working with an API key.
But, I don’t want to use my API key for every interaction on this app. I’d rather have the user be able to log in and have every request be on behalf of the user. The only (reliable) method I could think of now is to have a user get an API key themselves and store it somewhere the app could read. Is there any other authentication method that I can use for this?
I’ve noticed a lot of free good-hearted services fail out of fear of sharing an API key. To be fair, I recently witnessed a “Avoid moderations endpoint” tool released that somehow makes GPT vulgar. No surprise when people starting noticing their accounts being banned. Some people seem too willing, and others (including myself) too defensive when it comes to the API key.
I would completely support some sort of one-use authentication session instead of an API, which also forces the service to use the moderations endpoint.
User requests key to the hostname, or some unique identifier via OpenAI → User can now use the free product on their own dime using a one-time hashcode with the service → Each completion/entry is forced to carry a moderations hash to confirm that it passed → We now have a safe, secure free service that doesn’t require any useable information, and provides protection against malicious entities
@RonaldGRuckus Yeah, I’m very hesitant to share my own key. I know the OAuth2.0 framework supports flows to send requests on behalf of a user. I’ve used it through Microsoft in the past. I guess I was hoping some solution already existed that I didn’t know about.
I was just reading through the post linked above, and I’m wondering if this response was talking about something similar.
Thanks for bringing this up. I hope OpenAI will implement something similar as soon as possible.
Both the ChatGPT and the OpenAI APIs would benefit from an oAuth 2.0 Consent setup. From developer perspective; onboarding becomes more seamless. From user perspective, we would have the confidence that we can revoke consent / inspect usage per client.
I would even go further and say this should be the suggested way that third party applications integrate with OpenAI. As a user, I am already paying for an OpenAI subscription. Why can’t I utilize the same account with different websites / tools?