Open API key on External Services

Dear Community,

I’ve searched for an answer to this question without success, and I hope you can help me.

I’m working on setting up a service that utilizes OpenAI’s language models (like gpt-3.5, gpt-4, etc.). The service would require users to input their unique OpenAPI key into our platform, specifically on their account page.

However, I found in the terms and conditions that users are not supposed to use their OpenAPI keys elsewhere, such as on other websites or public forums.

I’m not sure how to comply with this rule. How are other businesses creating services using OpenAI when they can’t use their own API key? Especially since the cost of using the API depends on each individual user, and the OpenAPI keys are limited to 25.

I know that many businesses in various industries must have similar needs. For example:

  • In healthcare, a private company might use vast amounts of confidential health data and OpenAI to build a custom service. Users would pay both OpenAI for access and the private company for the use of the data.

This could apply to other sectors as well, where private companies might charge for their data while also using OpenAI’s models. Users would then pay for both the OpenAI access and the specific services provided.

I’m looking for advice and guidance on how to achieve this within the terms and conditions. Any help would be greatly appreciated.

Thank you!

1 Like


When you sell a service built on top of OpenAI’s endpoints, it’s expected that it all goes through your API key, you then build a suitable charging structure so that your customers pay you for their usage, typically at a higher amount than you pay OpenAI.

API keys are not for end users, they are for companies to create products with, sure they do get used by non business users for all kinds of reasons, but that is not their primary purpose.

To ensure that your users do not break any of the terms of use, you can pass their requests through to the moderation endpoint and check for violations, you should create your own moderation levels and let your customers know what is expected of them and handle any that abuse the service.

Hope this helps.


@Foxalabs thanks for your quick reply and valuable insight. Yes I had that as a second option, the main issue is if god forbids 1 or 2 users use it in a way that goes against the terms (even with moderation) - your account gets banned and poof - business goes to 0. So that is my primary concern.

The second concern is, how would you achieve a pricing structure without knowing what each user is using/spending. For example User A might use $20 per month and user B $50 - is there a way for Businesses to know the usage of each user? For any service not knowing how much will be spent by their users it will be very difficult to build a suitable charging structure.

One way would be to have a way to automatically create an OPEN API key and assign the usage to that user, but keys are limited to 25 and the usage cost is total (not per API key).

So not sure how developers are creating apps with these major hurdles. Also I believe the focus for devs is to create a valuable product and charge for that product. If LLMs will/have become the commodity and Open AI makes money from usage of that commodity, moving that responsibility to a business is strange no?

I see the Open API key as a phone number - the issue is that leaking that phone number may results in costs to the user. But the same way you agree to be charged when subscribing to an SMS service, there should be a way high level for them to “subscribe” their API key to a service. It is a hard problem to solve, but knowing that users can re-regenerate an API key gives extra layer. Maybe another option is to whitelist an API key to a specific IP? The one providing the service?

Not sure what the solution could be, but from a business perspective trying to deal with usage on an individual level and somehow trying to find a structure/price that generalizes for all users will be a nightmare.

Curious to know how other devs are doing this :frowning:

So long as you use the moderation endpoint and make an active effort to ensure your userbase adheres to your companies acceptable use policy, you should be fine with your API key.

OpenAI is not in the business of banning developers who are clearly following the rules and requirements. Make sure you log your moderation endpoint calls and associated prompts and replies, then you can show OpenAI that you have made a good faith effort using best practices in case there is some dispute.

In short, if you use the moderation endpoint and prevent messages that fail this test from being passed to the model, you have done your part of the agreement.

1 Like

thanks @Foxalabs - the other issue remains though. Creating a cost structure where you don’t know how much each user (on the service being provided) is spending. Lets say you build a service with 100 customers, how do you know the $ amount each customer is spending? A user might pay $19.99 for an X SaaS service, but might use $25 cost on the LLM alone.

Typically, one provides a tiered costing structure. The first tier allows the user to consume, lets say 10,000 tokens for a cost of $10 per month, if they go over that 10k token usage they are moved to the second tier and are notified of this and they must agree to the next tier payment structure. By doing this you can offer discounted rates for higher tiers, while maximising returns on the lower ones.

One could make introductory offers, high usage discounts and all manner of marketing joy!

1 Like

thanks @Foxalabs yes indeed we would need to build out that structure and segregate it per user. Thanks for the help :slight_smile:

1 Like

Hello, could you point me towards the terms where it’s written? I can’t seem to find anything about this here Terms of use. Thanks a lot in advance.

See here article posted by Open AI: Best Practices for API Key Safety | OpenAI Help Center

In the terms nothing detailed, however it says > buy, sell, or transfer API keys without our prior consent. Which is very broad (in regards to transfer).

Understood. I thought it meant give it to someone else, since it came after buy and sell, but I see your point, and it’s better to be safe than sorry.
I have however seen at least one chatbot service allow users to use their API key so I guess they’re being optimistic in understanding the terms.