How to secure create/update/delete Actions for trusted users?

I am currently using Bearer Token but I believe this issue applies to others (OAuth) as well. What I learned from customizing GPT is you supplied the key and it will just do the Auth: Bearer when talking to the server. But the problem is that GPT itself doesn’t authenticate the human user (does it, can it?).

The scenario is I want to protect create, update, delete Actions for everybody except a few trusted ppl. A “hack” is to put a passphrase in the instructions and ask GPT to request this whenever some destructive actions are provoked.

I don’t believe this is secure as GPT can be hacked/jailbroken to divulge this with some malicious prompt.

Anyone have run into this? and solved it without such workaround, I don’t want to even consider a more obfuscated version of the same thing. GPT should know who the user is, at least internally, it will be the openai account credentials. But I don’t see we can access this?

I now suspect OAuth should do this. But if anyone know this isn’t true. please help.

Yes, OAuth is the way to go. Similar to Plugins:

You can add Oauth2 authentication and secure your api’s if you wish to protect them based on user id.

I have created an open-source boilerplate for Oauth2 here GitHub - Anil-matcha/GPT-Auth: GPT Auth provides a user-friendly solution to quickly setup oauth for your custom GPT and self-host it. if you wish to get started

OAuth is the way to go. The integration is fairly simple if you are able to build the necessary flow in your app. Here is an example on how to do build OAuth GPT with laravel.