Custom GPTs Actions / Sessions / Role authorization (not API Key)

When someone uses Actions in a custom GPT to retrieve information or take actions outside of ChatGPT, and for business purposes, both Session control and Role authorization is a must have.

I’m not talking about API Key or OAuth to access the external API Actions, I’m taking about to know who is the person using your custom GPT and which kind of roles she/he could have to filter out the right data for the right role on the API back-end side. Session control is also required for that.

When the remote API handles sessions, it works well when testing the API from a regular browser test page. But when those Actions are called from a custom GPT, each and every call from the action opens a different session, the custom GPT seems not to track the session cookies.

Additionally to this, in the business data world, delivered data from the external Action to the custom GPT user strongly depends on the logged user/password. It could be very interesting to have a way to ask/prompt custom GPT users their own user identification and to track that in the remote Action.

I think some of us will be using this from a business perspective.

Thanks.

If you configure oauth you can generate a JWT containing their permissions when they log in, and then use that, so that really is the best option for user specific permissions, really.

I already tried to play with it and is not intended to be for that purpose.

The oauth and JWT token is to authorize the custom GPT to access the API, but not to authorize or identify different end user roles when people uses your GPT.

In other words, oauth user/password and JWT statys the same for all persons using your custom GPT and happens in the back-end side, is not intended to be a custom GPT user session identification so each and every person using your custom GPT can enter their custom credentials.

Unless I missed something when I tested this.

You definitely missed something when you tested that, the entire purpose of a JWT is to contain a stateless definition of the user’s identity and permissions, without requiring to maintain a session on the back end.

oauth user/password should be different for each user, and then you configure their permissions which get encoded into the token.

I have an API that uses OAuth, and when the GPT sends me a request containing their JWT, I can access their ID on my back end, and give them the appropriate data in response. It’s honestly what it was designed for, using OAuth with the same user/password for everyone is essentially throwing away all of the benefits of the system.

However, if you don’t want to do that, you could instead give each user their own secret ‘code’ that the GPT asks them for when the conversation starts, and then sends with every request, which the back end can use to filter data appropriately. That seems like a poor decision though, and if you’re talking about business data and role authorization, JWT is the way to go.

2 Likes

First, thank you very much for your help.

Did you tried that using another account, not the custom GPT developer one?

Your statement is right, you enter your credentials (Client ID and Client Secret) in the OAuth parameters when you configure your Action, then you will track the JWT on the API, that is correct.

Now, what happens when you use your custom GPT with other user than yours?.. where is the place to enter a different Client ID and Client Secret for each and every end user that uses your custom GPT?

I tried to use my custom GPT from other account and I have no access to enter any Client ID and Client Secret for that specific person since that is only accessible for the developer of the custom GPT when editing the settings…

Or still missing something sorry.

No need to apologise, security is a confusing topic and took me many years to get my head around.

The client ID and client secret should be the same for all users. They are what verify that the client (ChatGPT in this case) is allowed to send credentials across for the system to authorize. This stops any random system from authenticating via your API, only systems (clients) that you have explicitly given permission to do so, can. That’s the role of the ClientId/Secret, it has nothing to do with the user themselves.

The JWT can contain information about the client that was used to log in (generally that would be the Audience element within the token), however it is not what identifies the user. The token is generated when the user logs in, and will contain their personal information based on how your system generates its JWTs. Usually this will be a unique identifier for that user, along with maybe their name, and generally their permissions as well.

I don’t really want to get into the ins and outs of OAuth JWT here but you clearly misunderstand it, and could maybe ask ChatGPT to explain it to you.

1 Like

I will do that for sure. Thank you very much!

I think I found the issue, I have a bug in my Authorization URL and Token URL, I have to guess that after fixing it, the custom GPT will use Authorization URL and redirection so it should work well. And the I will receive some extra headers in the request with the JWT for each different user.

Hope it will work because it still requires a lot of work on my side since I’m using my own developed OAuth Server.

@callum.bradbury , Did you tested it this way? Worked for you?

Thanks a lot!

Yeah I have my own OAuth server, and it worked fine. Glad to hear you’re sorting it :slight_smile: Each user will be prompted to log in when the GPT makes its first call to your server, then they log in with their credentials and the token gets sent to the GPT. Then it’ll store the JWT and send it with every request the GPT sends to your API, which lets your API know who it’s dealing with.

Let me know if you get it working, always good to hear stories of success!

1 Like

I did my first test, a small test, and worked! I still have more work to do but I got it working basically and also receiving and decoding the JWT on the API side.

Now I have two pending matters, one is to complete the JWT with more information I need in there, but I guess this is just a matter of configuring my OAuth server token generation.

The other thing is the GPT Callback (redirection), when I modify anything on the Action settings of the custom GPT, it changes each and every time the callback address, so I have to go and change it on the OAuth Server settings for my GPT client… is there any trick so that callback URL stays the same, or at least not changing that often during development process?

Thanks in advance.

Hello @JCL @callum.bradbury

I’m experimenting with custom actions and I’m curious to know how you would approach the following use case.

Is there anyway a custom GPT once published can be used by different users with different API keys to talk to an API service?

Currently I was able to access my test API through the API key type authentication with custom header name. I tried todo some prompt engineering to update or replace the API key with user provided but that experiment failed.

@fluxgill

I was trying to do this with API key at the beginning and then I realized it did not work as expected. As @callum.bradbury posted here, and helped me a lot is to user OAuth instead, then you can identify users with User/Password and then get the JWT header in each and every API call with the particular user identification.

I’m new with OAuth but I researched a bit and ended up building my own OAuth server, now is working but still some work to do.

It is not an easy approach since it requires an OAuth server to do the authentication process and your API understanding the server JWT to decode the tokens.

So, if you want to identify users and roles in the Actions of the API, the way to go is OAuth.

Regards.

2 Likes

Thanks for the response @JCL . I’m new to OAuth as well, I might have to spend some time to learn about this before experimenting with OAuth in Custom GPT.

JCL is correct, OAuth is the way to go for user specific interactions with your Actions. Ask ChatGPT about it, it’s really good at explaining the ins and outs of it. Creating an OAuth server might seem daunting but it’s really not that bad once you get your head around it. The good ol’ GPT will be able to guide you along every step (whilst likely misunderstanding and giving some poor advice every once in a while).

2 Likes

@fluxgill , I’m new to OAuth too but in my case the learning curve has been short and the results are great thanks to @callum.bradbury advise. There are also some opensource solutions that you can use and adapt to your needs. Check that way too.

1 Like

Hey @JCL , my actions in gpt are not receiving the jwt token even after implementing everything. Are you still receiving it? If yes, can we please connect and solve my issue?

Yes, it works for me, they a received in the request header.