Service level authentication

mustafa.ergisi · April 10, 2023, 3:13am

I couldn’t fully understand what ‘service level authentication’ means. It says to add it to the manifest when installing the plugin. After the code is deployed, how am I going to do this? If anyone has tried this and has a sample code, I would appreciate it if they could share it.

ruv · April 10, 2023, 12:59pm

Likely means your using some sort of authentication like a bearer token for your api endpoints, it’s asking to include it in the manifest so it can connect to the api endpoint. For GETs I don’t generally bother with authentication unless there are privacy concerns, for POSTs I use a bear token or jwt.

iamflimflam1 · April 17, 2023, 9:33am

I’m confused about this as well. To me Service Level Authentication means that we can make sure it’s OpenAI calling our endpoints.

For example, the plugin I’m developing should only be called from ChatGPT. I don’t want anyone else to be able to call it.

The docs say:

If you want to specifically enable OpenAI plugins to work with your API, you can provide a client secret during the plugin installation flow.

Not entirely sure how to trigger this flow.

And in the example:

Notice that the verification token is required for service level authentication plugins. The token is generated during the plugin installation process in the ChatGPT web UI.

kiyo921 · May 23, 2023, 9:27pm

I am getting the same issue as well. Will each user get this “Add verification token” pop-up when installing my plugin?

kevinpiac · May 23, 2023, 10:08pm

Hey guys!

Actually, once open ai gives you this verification token, you will have to add it to your manifest file.
Then, once your plugin gets approved, you will not have to change it anymore.

Your users will not get asked to do this at all. In fact, they will not even know it exists.

If you have any question regarding authentication or anything feel free to ask since I used them a lot

sean_moriarity · May 24, 2023, 4:13pm

I wrote about implementing service level authentication here: How to Implement ChatGPT Service Level Authentication with Python and FastAPI | HackWithGPT

A few of the key points:

Your users don’t need to go through the same verification token flow as you do. Once you do it once, it’s done for everybody.
Service level auth is blanket for all ChatGPT users. It’s basically a way to make sure only ChatGPT can hit those endpoints. You can also achieve this by allowlisting ChatGPT’s IPs as well
I found the easiest way to test is with ngrok, since you can’t test authentication with localhost plugins.
There doesn’t seem to be any way to rotate client secrets yet without resubmitting a plugin. Hopefully this changes so you don’t have to keep a stale secret around for a long time.
It’s pretty easy to do this with Python and FastAPI, I was planning to go through with some other frameworks as well

Topic		Replies	Views
🍄 Safeguarding Your ChatGPT Plugins: Best Practices for Security Plugins / Actions builders	4	3945	July 24, 2023
Examples of using Auth0 directly as the OAuth server Plugins / Actions builders	11	1601	May 9, 2023
Creating oAuth Login Flow - Help Needed Plugins / Actions builders plugin-development	6	1033	August 10, 2023
Custom GPT per user authentication [custom API programming] Plugins / Actions builders gpts	16	2054	December 15, 2023
OAuth Integration Help Needed Plugins / Actions builders chatgpt	1	688	May 7, 2023

Service level authentication

Related Topics