I am building an app that will need to access your services on the client. However, I would rather not leak my API keys there.
Besides deploying this part of the infra to the edge. I was thinking that it would be great to expose short-lived restricted api keys to the client.
Do you have such functionality, or do I need to implement it by hand?
Example: Api key for a specific response session with an expiration of 1 hour and only specific model access (only gpt 5 mini) and a specific user (via IP or GEO location) optional.
The client would then make requests directly to the OpenAI API (saving bandwidth).
Using the new WebSocket response API I believe this would be even better for load times and speed
Good question, and you’re thinking about the right risks here.
There isn’t currently a built-in feature for issuing short-lived, scoped API keys directly from OpenAI with restrictions like model-only access, IP binding, or per-session expiration.
Also, even if a key is short-lived, exposing it on the client side is still risky. If someone grabs it during that window, they can make requests against your account and you’d be billed for that usage. So keeping API keys private is really important for protecting both your usage and your data.