Finally got around to creating my first GPT with an action. No wonder everybody wants to use this – super easy and fast!
Problem is, the API my action is calling requires the client IP to be in it’s allow list. I asked gpt-4 what do do about this:
Contact OpenAI Support : Reach out to OpenAI support or your account manager to ask if they can provide a list of IP addresses, or if there’s a recommended approach for securely allowing their requests. They may offer guidance or alternatives that fit your security requirements.
Does anyone know if there is such a list?
The requests appear to originate from this user-agent: ChatGPT-User/1.0; +https://openai.com/bot
And if the above isn’t possible, what about this?
Webhook Verification : If you’re handling webhooks from OpenAI, instead of IP allowlisting, you could use a secret token verification process. OpenAI could send a predefined secret token with its requests that you can verify. This method ensures that the request is coming from a trusted source without relying on IP addresses.
Auth with an api key or something to your middleware to proxy your request?
it’s not convenient, but a static IP range whitelist for gpt actions would kinda defeat the purpose of IP whitelists, considering everyone can make that request, no? but I guess that’s your API vendor’s business…
I thought there was an IP block floating around in some other discussion? Or maybe it was just people asking for one?
I’ll try to track it down, but if there’s no solution or answer forthcoming you could look for an API gateway for which you can get those answers and just route everything through that.
