OpenAI GPT API Bot IP Range

Finally got around to creating my first GPT with an action. No wonder everybody wants to use this – super easy and fast!

Problem is, the API my action is calling requires the client IP to be in it’s allow list. I asked gpt-4 what do do about this:

Contact OpenAI Support : Reach out to OpenAI support or your account manager to ask if they can provide a list of IP addresses, or if there’s a recommended approach for securely allowing their requests. They may offer guidance or alternatives that fit your security requirements.

Does anyone know if there is such a list?

The requests appear to originate from this user-agent: ChatGPT-User/1.0; +

And if the above isn’t possible, what about this?

Webhook Verification : If you’re handling webhooks from OpenAI, instead of IP allowlisting, you could use a secret token verification process. OpenAI could send a predefined secret token with its requests that you can verify. This method ensures that the request is coming from a trusted source without relying on IP addresses.

Auth with an api key or something to your middleware to proxy your request? :thinking:

it’s not convenient, but a static IP range whitelist for gpt actions would kinda defeat the purpose of IP whitelists, considering everyone can make that request, no? but I guess that’s your API vendor’s business…

Well, I was thinking about something more along the lines of a CIDR block.

Already using api key – just an added layer to make sure the requests are coming from OpenAI servers

I’ve not been able to locate a single post on this topic, so maybe nobody is using IP allowlists?

TBH it didn’t really cross my mind because it’s a public network request - I’d just let cloudflare do its magic and not worry about it.

But if they published their addresses, probably wouldn’t hurt anything.

Maybe it’s a worthwhile feature request? :thinking:

1 Like

I thought there was an IP block floating around in some other discussion? Or maybe it was just people asking for one?

I’ll try to track it down, but if there’s no solution or answer forthcoming you could look for an API gateway for which you can get those answers and just route everything through that.

1 Like