Repeated Fraudulent Use of My API Keys

Hi all,

I’ve got a bit of a situation here. Someone keeps getting their hands on my API keys and using them to run big requests on GPT-4 and GPT-4 Turbo. I have to rotate them every other day. The thing is, my apps are only set up for GPT-3.5 Turbo, and I’m not planning to move to GPT-4 until I get this sorted out. If I don’t, I won’t even know when my API has been compromised.

I’ve tried a few things to stop this, like using a proxy server with a Firebase function, but it’s just making my app too slow. What’s the best way to keep my API key safe? And is there a way to block any requests to the API that aren’t coming from my app?

Also, with the latest update to OpenAI’s UI, I can’t see which one of my accounts is compromised. Plus, the “last time used” tab is always showing “never”. Any ideas?


Where are you storing the API keys in your app?

I’ve got two apps running. For one, I set up a proxy server, and for the other, the API key is stored in a remote database. I did try implementing a server for the second app, but it significantly degraded the user experience due to slow response times. So, I left it as is for another week. But just yesterday, the key was intercepted again, and it maxed out the hard limit I had established.

Now, I’m not even sure which API key was compromised. I suspect it’s the one with the app that doesn’t have the server. Before implementing the server in the second app, I want to exhaust all other alternatives, which is why I’m asking here for advice. Previously, with OpenAI’s old UI, I could track which account was making requests to GPT-4 or GPT-3.5, so I had split the API keys between two separate accounts. But with the new UI update, it’s no longer showing us the API request details, which is a big setback.

Yeah, you need to store the keys on your server where they’re safe. If they’re transmitted, they will be intercepted. It’s more work, but less headaches like these in the future for you.

Shouldn’t slow it down too much as that’s the way it’s normally done.

1 Like

Thanks for the advice! I understand the importance of storing the keys on the server, my concern is the big impact on the app’s performance with the slowdowns. With the server the loading animation takes forever with each message.

Could you share any tips or best practices on how to implement this securely without significantly affecting the app’s speed?

Is there a way to restrict API requests so that only my apps can use them?

You can look into streaming the content back depending on what model you’re using.

Environment variable usually… but if it’s on the server it should be safe unless the server gets hacked.

No, this is not possible.

Also check out the Safety Best Practices page if you haven’t yet. More tips. If you get stuck on something specific, let us know, and we’ll try to help.


Thanks for the advice! And I hope my API key issue wasn’t serious enough to get Sam fired! :smile: Just a little humor there. Seriously though, any further suggestions are still very much welcome!

1 Like