Doesn’t everyone agree that it would be nice if there were a way for the browsers to use digital signatures (and or Public Key Encryption) to sign and encrypt the key to send to services like tldraw so that these kinds of services can securely call OpenAI, on behalf of a user, but without the server itself being able to actually obtain the API Key. The API Key would be only known to the web browser itself.
The “Nostr” social media protocol has managed to do this kind of thing, for example where the browser can digitally sign a payload, but the webapp cannot see the crypto key that was used to do the signing.
I actually 100% disagree with this concept, might be a hot take.
But as a computer person with all the artistic skills of a … snake? or even if I could draw, doing all the fiddly UI bits to make it look nice is just as much work with a pencil as it is with a keyboard… maybe that’s just me
The point I was making was that the website broke OpenAI policy on Key Sharing to do what they did.
There really really needs to be a way for API keys to “belong” to individuals rather than companies. The situation right now regarding Keys is very sketchy, where if OpenAI decides to ban the Key a company is using it shuts down the entire company for all users, when they actually should be punishing individuals not corporations for “illegal or immoral requests”.
Personally I’d rather the API keys were totally obfuscated such that the API can only be accessed by some hidden authentication system. API keys are a liability when they are not treated like cash.
The biggest problem with API Keys is that OpenAI can cancel them at a whim, with no explanation given. People are claiming it’s happened. I’m sure OpenAI is attempting to do the correct, moral, and right thing, but at the same time some innocent people are bound to get ground up by the gears of justice.
Nostr (a Social Media Messaging Protocol) which I used to support in my platform (Quanta) has a design where your Private Key (in PKE) is your identity, and must be kept secret, and yet you can use a browser plugin to sign messages with your Private Key, even if the app you’re accessing is some third party app.
They (Nostr) accomplish this with a simple standard Javascript object naming convention and method interface that lets the webapp request a signature be done on a payload (in this case a Social Media message post) and then the signed message can be sent around and everyone can verify via the Public Key that the message was indeed signed by the correct person. OpenAI can use this technique to allow systems where an API Key can be like a “Personal API Key” that is associated to a specific person and not to a company.
So I recommend to OpenAI that they keep their current API key as is, but add a new kind of key called “Personal API Key”, that does what I’m describing.