Service level authentication

I couldn’t fully understand what ‘service level authentication’ means. It says to add it to the manifest when installing the plugin. After the code is deployed, how am I going to do this? If anyone has tried this and has a sample code, I would appreciate it if they could share it.

Likely means your using some sort of authentication like a bearer token for your api endpoints, it’s asking to include it in the manifest so it can connect to the api endpoint. For GETs I don’t generally bother with authentication unless there are privacy concerns, for POSTs I use a bear token or jwt.

I’m confused about this as well. To me Service Level Authentication means that we can make sure it’s OpenAI calling our endpoints.

For example, the plugin I’m developing should only be called from ChatGPT. I don’t want anyone else to be able to call it.

The docs say:

If you want to specifically enable OpenAI plugins to work with your API, you can provide a client secret during the plugin installation flow.

Not entirely sure how to trigger this flow.

And in the example:

Notice that the verification token is required for service level authentication plugins. The token is generated during the plugin installation process in the ChatGPT web UI.

I am getting the same issue as well. Will each user get this “Add verification token” pop-up when installing my plugin?

Hey guys!

Actually, once open ai gives you this verification token, you will have to add it to your manifest file.
Then, once your plugin gets approved, you will not have to change it anymore.

Your users will not get asked to do this at all. In fact, they will not even know it exists.

If you have any question regarding authentication or anything feel free to ask since I used them a lot :slight_smile:

I wrote about implementing service level authentication here: How to Implement ChatGPT Service Level Authentication with Python and FastAPI | HackWithGPT

A few of the key points:

  • Your users don’t need to go through the same verification token flow as you do. Once you do it once, it’s done for everybody.
  • Service level auth is blanket for all ChatGPT users. It’s basically a way to make sure only ChatGPT can hit those endpoints. You can also achieve this by allowlisting ChatGPT’s IPs as well
  • I found the easiest way to test is with ngrok, since you can’t test authentication with localhost plugins.
  • There doesn’t seem to be any way to rotate client secrets yet without resubmitting a plugin. Hopefully this changes so you don’t have to keep a stale secret around for a long time.
  • It’s pretty easy to do this with Python and FastAPI, I was planning to go through with some other frameworks as well