We have a chatgpt plugin, we were able to protect our API by whitelisting chatgpt IP range
The openapi.yaml and manifest.json files are located on AWS S3, if we only whitelist ChatGPT IP range from S3, ChatGPT will no longer be able to call our APIs.
We tried whitelisting only their user-agent instead, but that didn’t work either
Is it possible to restrict access to those files?
Yes and no.
The JSON file is supposed to be public and ChatGPT framework offers no mechanisms to protect it. IP filtering is unreliable because no cloud-based services will offer you the IP ranges as a security mechanism.
The OpenAPI.yaml is protected if you use the the service level or OAuth. Read OpenAI Platform if you haven’t.
Just a friendly reminder. You would have to serve the OpenAPI.yaml dynamically, of course. A static file cannot be protected easily.