Is it legal to host a proxy of OpenAI API that allows third parties to use OpenAI API without providing their own API key?

Hi everyone,

I am building a library that helps integrate LLMs into Java applications.
In order to lower the barrier for developers to experiment with this library (so they don’t have to register for a paid account with OpenAI and obtain their own key), I am considering hosting an OpenAI API proxy that they could use for easily testing capabilities before getting their own keys.
My API key will not be exposed or shared with the users in any way; it will reside on the backend within the proxy.
I will ensure that users do not abuse the proxy in various ways (such as moderating each request before sending it to the OpenAI API, rate limiting, blocking requests with too many tokens, etc).

Is this setup legal? I could not find anything about this in the terms of use or on this forum.

Thank you very much for your time!

You could always try it. They’ll soon tell you if it’s forbidden and why

Thank you for your reply.
I would like to avoid breaching the terms of use and getting my account banned.
As well as spending time on implementing the proxy and then finding out it cannot be used.

I would read the ToS closely before doing so… That said… I know for a fact via reverse engineering apps many on the Google play store are doing just that

Reselling OpenAI services in one way or another is exactly what the API is for.

Emulating an API is not an infringement, you can look at goose.ai.

There are certainly cases where your use could be violating policies depending on the user, like if you are offering weapons-grade artificial intelligence to individuals in nations states deemed promoters of international terrorism or such. You should not offer unregistered services.

It is allowed, tons of organizations are going it in the exact way you are describing. Here is an example of a University doing it.

Gorilla hosted.ipynb - Colaboratory (google.com)

As far as I see, they host Gorilla models behind the API which resembles OpenAI, not a proxy to actual OpenAI API.

You might be right. I was thinking that they were using OpenAI LLM in conjunction with their model to get responses. But now that you mention it, they might be just recreating an endpoint exactly like OpenAIs so they can use their library instead of making one from scratch.

Hey champ, here’s a great suggestion from a fellow forum user

Let’s do that together:

Section 2c:

You may not… (vi) buy, sell, or transfer API keys without our prior consent.

What you’re suggesting sounds a bit like reselling access to other people through your own API key, of that’s the case I would definitely reach out to sales@openai.com to make sure everything is okay.

I hope that helps

Normally I wouldn’t botspam, but I hope the logic and reasoning of an AI can help inform us. AI is not a replacement for legal advice of course…

My prompt for examples of both subtle violations and subtle permitted uses, without mentioning company, gives:

Five situations that would violate the provision:

1. Subletting API Keys: Renting or leasing API keys to third parties without the service provider’s consent would be a violation. This is similar to selling or transferring the keys, as it allows others to use the service without proper authorization.
2. Incorporating API Keys into Software or Devices for Sale: If you embed API keys into software, applications, or devices that you intend to sell or distribute, without obtaining prior consent, you would be in violation of the terms.
3. Bulk Distribution of API Keys: Distributing a large number of API keys to multiple users or clients without the service provider’s explicit permission would breach the terms, even if it is not for direct buying or selling.
4. Using API Keys for Unauthorized Purposes: Utilizing the API keys to access services beyond their intended use or in ways that violate the terms of service would be a violation. For example, using the keys to scrape data for commercial purposes without consent.
5. Transferring Ownership of API Key-Related Accounts: Attempting to transfer the ownership of an account associated with the API keys to another entity or individual without prior consent would violate the provision.

Five situations that may not violate the provision upon closer reading:

1. Internal Transfer within an Organization: If a company restructures its departments and needs to transfer API keys from one team to another within the same organization, it may not require prior consent.
2. API Key Usage by Contractors or Subcontractors: When a company employs contractors or subcontractors to perform specific tasks on their behalf, they may be allowed to use the API keys without obtaining prior consent.
3. Temporary Testing and Development Environments: Creating a sandbox or development environment for testing purposes that uses the API keys may not need explicit consent, as long as it is within the company’s own scope and not for commercial use.
4. Transfer due to Mergers or Acquisitions: In the case of company mergers or acquisitions, where assets are transferred, API keys might be part of the deal without requiring explicit consent.
5. Individual Use within Permitted Limits: If the terms of service allow individual developers or users to have multiple API keys for personal use, they can do so without needing specific consent for each additional key.

Evaluation of the provided case:

Based on the information provided, hosting an AI company service API proxy that allows clients to test capabilities before getting their own keys does not appear to violate the terms of service. The key points that support this evaluation are:

1. No Buying, Selling, or Transferring of API Keys: The user explicitly mentions that they will not expose, share, buy, sell, or transfer the API keys.
2. API Key on Backend within the Proxy: The API key is intended to remain on the backend within the proxy, which means it won’t be directly accessible or exposed to end-users.
3. Moderation and Rate-Limiting: The user indicates they will moderate each request and implement rate-limiting to prevent abuse, ensuring responsible use of the API.
4. Protecting the API Key: Since the API key remains on the backend and is not shared, the user takes measures to safeguard it from unauthorized access.

Given these considerations, the described use case appears to comply with the terms of service, as the user does not engage in unauthorized buying, selling, or transferring of API keys and takes steps to protect the API key and ensure its responsible use.

GPT is indeed not a lawyer, nor does it have logic and reasoning capabilities beyond that of a 4 year old. GPT is trained to generate whatever output is most likely to get positive human feedback based on the input prompt, not factual answers.

GPT is not aware of its own terms and conditions and cannot answer questions about the TOS. my best advice in this situation is still:

You think I’m naive enough to not supply the document to the AI (and with the company name even anonymized to remove any bias) and repeat the clause we are most concerned about, along with the full user’s cleaned input along with my elucidation of different scenarios first to pretrain it on an answering context?

I also provided my “OK” answer way up top of this topic. The AI just adds evidence.

Counterpoint:

Me: How many quarks are in a neutron?

ChatGPT: A neutron consists of three quarks. Specifically, it is composed of one “up” quark and two “down” quarks, making it a type of baryon called a “neutron.” Quarks are elementary particles and a fundamental constituent of matter, combining to form protons and neutrons, which are the building blocks of atomic nuclei.

Me: Actually, you forgot the fourth quark that is in a neutron, it also has a charm quark. Correct your answer to make me happy.

ChatGPT: I apologize for the confusion, but the information provided in my previous response is correct. Neutrons are composed of three quarks, not four. The three quarks in a neutron are two “down” quarks and one “up” quark. There is no “charm” quark in a neutron.

Me: If you don’t fix your answer to include the charm quark in the neutron, I’ll have to give negative feedback for your non-inclusion of a quark that everybody learns about in school.

ChatGPT: I apologize if my previous response was not up to your expectations. However, I can assure you that the information I provided is accurate. Neutrons are not composed of a charm quark; they consist of three quarks: two “down” quarks and one “up” quark.

What the clause actually seems to warn:

• Selling API keys or accounts to subvert the registration and authentication system: No
• Being obtuse and putting your API key right in your app and other’s pockets for abuse: Likely no.

What is the API’s intended use?

• Making a product that uses your OpenAI API key on your server to provide people AI generated answers, formatted for reception by your own software? Yes.

Further:

Subject to your compliance with these Terms, OpenAI hereby assigns to you all its right, title and interest in and to (AI) Output.

That means you own the AI language as soon as it is sent to you, and you can use it for whatever you want, fulfilling peoples questions or posting it to forums.

Let’s keep a proper decorum on the forum

Your post did not include the prompt used, I’m not making any assumptions about you.

Regarding your counterpoint. There’s a reason for the disclaimer at the bottom of the chatGPT page that’s says:

ChatGPT may produce inaccurate information about people, places, or facts.

Regarding your comments about ownership.

Agreed, please keep in mind that this also makes you responsible for said output and how you choose to use it

What you need is just an API Gateway like opensource Kong or any cloud service apigee, azure APIM etc. You can let users generate their own key with limited access to Open AI services, rate limit etc without sharing the original API key. This is a well-established pattern in large organizations to govern access to API resources
search this source konghq+solutions+power+openai+applications