Connecting Custom GPT Action to Youtube Data API with API Key Not working - Failure to pass Key to YT Data API with schema

Hello,

I have been trying to do some basic testing using the Edit Actions in a GPT and creating a simple schema. I have generated an API key with Google, loaded it in the Authentication as an API Key, and tested it. Every test fails with a reference to an authentication error. I have tried to update the schema multiple ways, but no matter what I do, the custom GPT is not attempting to send the key with the request, causing the failure. I appreciate any hints as to what I am missing here!

Here is the Schema I am trying to test

openapi: 3.0.0
info:
title: YouTube API
version: v3
description: YouTube Data API allows for integration with YouTube to manage content, retrieve data, and interact with channels and videos.
servers:

  • url: https://www.googleapis.com/youtube/v3
    description: YouTube API server
    paths:
    /search:
    get:
    summary: Search YouTube content
    operationId: youtubeSearch
    parameters:
    - name: part
    in: query
    required: true
    schema:
    type: string
    - name: q
    in: query
    required: false
    schema:
    type: string
    - name: maxResults
    in: query
    required: false
    schema:
    type: integer
    - name: key
    in: query
    required: true
    schema:
    type: string
    responses:
    ‘200’:
    description: Successful response
    content:
    application/json:
    schema:
    $ref: ‘#/components/schemas/SearchResponse’
    components:
    schemas:
    SearchResponse:
    type: object
    properties:
    items:
    type: array
    items:
    $ref: ‘#/components/schemas/SearchResultItem’
    SearchResultItem:
    type: object
    properties:
    id:
    type: string
    title:
    type: string
    description:
    type: string

This article looks somewhat similar.

When my limit expires, I’ll try using a hard-coded URL with the key. It seems to go against using the API Key Authentication Setting if I have to hard code the key in the URL.

ok, after testing multiple multiple multiple times I think the issue is within the GPT configuration itself. It is going bonkers filling in everything BUT the API Key I save under Authentication. It even pulled a Key from nowhere (this very same issue is referenced in this YouTube video I watched to try to get some help https://www.youtube.com/watch?v=6P6MQ_j73mI ).

Here are some sample responses I get where the GPT is populating “key” with random things

Crown Chakra

[debug] Calling HTTP endpoint

{ “domain”: “googleapis.com”, “method”: “get”, “path”: “/search”, “operation”: “youtubeSearch”, “operation_hash”: “6eb6e97058392c99df300da3c288370122887e9c”, “is_consequential”: false, “params”: { “part”: “snippet”, “q”: “test”, “maxResults”: 5, “key”: “test_key” } }

That one populated it with test_key

Crown Chakra

[debug] Calling HTTP endpoint

{ “domain”: “googleapis.com”, “method”: “get”, “path”: “/search”, “operation”: “youtubeSearch”, “operation_hash”: “5bcff4e32a4e86c0d3d4e22a726432fa4c372abf”, “is_consequential”: false, “params”: { “part”: “snippet”, “q”: “latest music videos”, “maxResults”: 5, “apikey”: “YOUR_API_KEY” } }

This one updated with Yout_API_KEY

[debug] Calling HTTP endpoint
{
“domain”: “googleapis.com”,
“method”: “get”,
“path”: “/search”,
“operation”: “youtubeSearch”,
“operation_hash”: “6eb6e97058392c99df300da3c288370122887e9c”,
“is_consequential”: false,
“params”: {
“part”: “snippet”,
“q”: “latest technology news”,
“maxResults”: 5,
“key”: “AIzaSyB0Lj-OSoQVDrqkG6rWv6LjYUkQfMlV4Uk”
}
}

This one has an API Key that only GPT knows where it came from. Don’t worry, it doesn’t work (at least for Youtube Data API calls)

Where do I go in the documentation to learn more about how this runs?
https://platform.openai.com/docs/api-reference/authentication ?

There is no reference to Custom GPT actions anywhere in the documentation I found.

OpenAI, please update your documentation. There is not enough info about building custom actions, and that youtube host and I have spent hours trying to figure it out. We appreciate any help!

For what it is worth, I am able to get the GPT builder to make the API call successfully. Also in troubleshooting with the GPT Builder, I was able to confirm the correct API key is stored in the action authentication correctly. Something about actually running the GPT is not successfully passing the API Key. Strange, is anyone else able to get it to work?

It just pulled another random API key in testing that has nothing to do with my project. I think there may be an API key leak going on. I’ll try to open a ticket.

Is anyone successfully connecting to an API using an API Key? I appreciate any feedback.

I just created a new action to pull stock data and this same issue is occurring.

Crown Chakra

[debug] Calling HTTP endpoint

{ “domain”: “api.stockdata.org”, “method”: “get”, “path”: “/quote”, “operation”: “getStockPrices”, “operation_hash”: “27a8488576865981134d18f1f92c1e76508ef8f0”, “is_consequential”: false, “params”: { “api_token”: “YOUR_API_TOKEN”, “symbols”: “DJIA” } }

I tried using the Experimental Action GPT per documentation and configured the action exactly as required.

https://platform.openai.com/docs/actions/getting-started

When I ping the key directly to the bot the calls work, but it will not reference the API key stored in the GPT.

As always, appreciate the help or confirmation from others that this issue is present for exposure :+1:

open-air Support reply to my informing them of this issue.

This issue is still live and was posted about 2 months ago. Ery easy to demo of anyone has interest. Potential api keys being leaked so security risk. Please reply!

(Note I also informed them of the white on white text on the drop down menu when selecting a setting on the customgpt.

Does anyone else thing the 10k limit to engage sounds arrogant? Tis is the second time I have received this type of response and shared my feelings about it. Duly noted :+1:

Hello,

Thank you for reaching out to OpenAI support for bringing the issue with the incorrect API key associated with your GPT and white background on the drop down to our attention. We are glad to hear that the issue was resolved upon entering the correct API key. Rest assured, we have noted this matter and will conduct a thorough internal review to better understand and prevent such occurrences in the future.

Additionally, we gently suggest you to refer to this article for a comprehensive understanding for best practices for API key safety. We apologize for the inconvenience this may have caused.

Furthermore, we are currently not engaging in partnerships, if you’d like to get started on a self-serve basis, like many of our enterprise clients, treat this email as your compass towards becoming fully production ready. If you’re anticipating a spend upwards of $10,000 per month, please reach out via our sales contact form.

Kickstarting your journey: after registering, our detailed guide will assist you in becoming production ready. It covers all the essentials, from configuring a payment method to optimizing your service for production. To learn more about our API pricing, please click here.

Exploration and innovation: if you’re pondering the possibilities of what you could create or seeking guidance on how to do it, our application guides and cookbooks are a wealth of resources to get your creative juices flowing.

Security and compliance: for ensuring your application’s compliance, we recommend referring to our robust security practices and our trust and compliance portal. You will find our most current and comprehensive documentation there, providing you with all the tools necessary for your reviews.

Supporting you along the way: should you have any queries or require further assistance, don’t hesitate to reach out. Our dedicated support team is ready to help. You can contact us through our help center.

We trust this information addresses your concern. Should you have any additional questions or need further assistance, please don’t hesitate to contact us. We’re here to help!

Warm regards,
Genesis
OpenAI Support

I have the same issue i guess. I’m using a CustomGPT and developed a small API with FastAPI. On Postman it’s running with ease. But the GPT is always failing to connect. It doesn’t send anything to the endpoint, because on my API-Server i don’t see any incomming Request.

I could make it run few days ago without API-Key. No I secured one Endpoint with API-Key and configured that also in the Action-Builder.

That’s the response - it has no param… Should have an access_token send or does Params just show the URL Params and not the Header.
CleanShot 2024-02-01 at 07.40.38

Really can’t make this run…

I’m having the same problem.

Does anyone know how to get the Actions API Key to pass correctly? It is a simple API call, for example: https://gnews.io/api/v4/{endpoint}?apikey=API_KEY

The documentation on: https://platform.openai.com/docs/actions/authentication gives no help at all.

Second day trying, but I cannot get it to work. And I have yet to find a good way to debug it.

I found a youtube video that solved it by putting the API key into the custom instructions, but that seems a really bad way to do it.

Actually got it to work now!

It was enough to write the API key in the description of the schema!

Like this:
openapi: 3.0.0
info:
title: Financial Modeling Prep API
description: Provides access to financial data including company search, stock lists, quotes, financial statements, and more.
version: 1.0.0
servers:

  • url: https://financialmodelingprep.com/api/v3
    description: Main API server
    paths:
    /search:
    get:
    operationId: searchCompanies
    summary: Search over 70,000 symbols by symbol name or company name.
    parameters:
    - name: query
    in: query
    required: true
    schema:
    type: string
    description: Symbol name or company name to search for.
    - name: apikey
    in: query
    required: true
    schema:
    type: string
    description: Your API key is 43xc2kV23r2rwfskfjsdfk

(I’ve changed the API key so dont bother copying it)

I got the idea from this YT video. She does a lots of other change, but only this small change I did above made it work!

Note, that if you share this GPT with others every other user can see and thus use your API key.

This is a bad solution.
I am sorry, but you have to find another way.

1 Like

The proper way to do this for an API key in the query string would be to set it as an enum with only one option.

That said, you should only do that for a GPT you intend to only be accessible for yourself.

If you want to do this the actually proper and secure way, you’ll need to set up an API gateway. I’m planning to write something up about how to do this, but I’ve just not gotten around to it yet because there’s lots of wrinkles to each use case, and I’m not sure how exactly I want to address those.