For clarity, I described the idea to ChatGPT and it wrote me back this which is clear:
Okay, I understand the flow better now:
- User logs into ChatGPT using their Google account
- ChatGPT gets the user’s Google ID from the login
- When making API calls to Zipwire, ChatGPT passes the Google ID
- Zipwire looks up the Google ID and matches it to a Zipwire account
- To authenticate the API call is from ChatGPT, the Google ID is signed using a shared secret key
- Zipwire validates the signature matches the key it shares with ChatGPT
This allows ChatGPT to make authorized API calls on behalf of a user, leveraging the Google ID for account linking between ChatGPT and Zipwire.
The main trust still lies with ChatGPT properly securing the secret key and not abusing it outside the intended use case. But the impact is lower since the key would only allow access to a specific user’s account data based on their Google ID, not full API access.
Let me know if I have the flow right now! Overall this seems like a reasonable approach to safely allow ChatGPT to integrate with and access user data from your application.