How to handle user API keys in custom actions

I created a custom GPT action that calls one of my backend services. This service requires the user to provide their API key using an ‘X-Api-Key’ header. I included this in the OpenAPI schema and I also mentioned in the instructions that this header should be populated with the API key that the user provides. However, when my custom action is called, the ‘X-Api-Key’ header is not presented despite the user providing their API key.

Is there some additional configuration that should be done? (I do not want to use OAuth)

This is most likely the result of several security features or in place by OpenAI.

OpenAI does not want API keys for any service to be input into ChatGPT. It is speculated OpenAI continuously trains on ChatGPT conversations to fine-tune the performance of the chat model. They do not want to potentially output someone’s API key for another service in some other chat.

You will need to perform this action another way, or just use OAuth—not entirely sure why you’re against it though.

When a custom gpt is created there is an option to disable “Use conversation data in your GPT to improve our models” so I’m not sure if it would still be a security concern. \

I think the issue is that API key authentification is not an option when the user has to bring their own API key.
You can only store your own API key on OpenAIs server.

From the recently updated docs:

Just like how a user might already be using your API, we allow API key authentication through the GPT editor UI. We encrypt the secret key when we store it in our database to keep your API key secure.

This approach is useful if you have an API that takes slightly more consequential actions than the no authentication flow but does not require an individual user to sign in. Adding API key authentication can protect your API and give you more fine-grained access controls along with visibility into where requests are coming from.

I think you will need to find another way. Maybe relay the user’s API key through another server of yours or go via OAuth.

Okay thank you for the info. I will try and get OAuth setup for my backend service.

1 Like

This is true. But it requires the builder to change the default and keep it charged.

OpenAI has been skittish about API keys since the beginning though. The models have been conditioned to not repeat back supplied API keys for at least the last several months.

1 Like