Since GPT-4 is expensive, how can I continue to use only GPT 3.5 endpoint?

I am using the following endpoint and my usage is showing and billing for GPT-4 and InstructGPT. Since GPT-4 is expensive, how can I continue to use only GPT 3.5 endpoint?

Since its charging almost three times more, I have switched off all the Free AI tools in my website.

Are you saying that you specify 3.5 in the model request API but you are being billed for GPT-4?


curl \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $OPENAI_API_KEY" \
  -d '{
    "model": "text-davinci-003",
    "prompt": "Say this is a test",
    "max_tokens": 7,
    "temperature": 0


curl \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $OPENAI_API_KEY" \
  -d '{
    "model": "gpt-3.5-turbo",
    "messages": [
        "role": "system",
        "content": "You are a helpful assistant."
        "role": "user",
        "content": "Say this is a test"

You will see there are minor differences, mainly in the messages format. One must also parse the AI response out of the API return object differently.

Examples above are from clicking “API reference” on this forum’s toolbar.

I am using JavaScript and here is my code. modelName is a global variable having the value of “gpt-3.5-turb”. Variable openaiApiHost = “

try {
const response = await fetch(openaiApiHost, {
method: ‘POST’,
headers: {
‘Authorization’: Bearer ${openaiApiKey},
‘Content-Type’: ‘application/json’,
‘model’: modelName,
body: JSON.stringify({
max_tokens: validLength

And its billing GPT-4.


Where does the javascript run? Who communicates with OpenAI servers?
Are you giving people the API key that they can steal and use themselves to make AI queries using your account?
Are you using an environment variable? Can it be extracted by executable code?

The API key is in a Javascript code that is obfuscated. The javascript runs in a public_html folder in a hosting site (shared hosting). As of now, the API key stands revoked.

are your users determining the modelName field here?

If so they are most likely choosing GPT-4 hence why you are billed. You could have that always set to gpt-3.5-turbo and you would only get charged for 3.5

Users do not have the option to select the model, its hard-coded in the code itself.

However, I understand that if I do not specify the model, OpenAI is defaulting to GPT 4.0 since the last few days as older models are being deprecated.

1 Like

I guess you need this:


If you ship a product with your API key embedded in it you will 100% have your key misused.


Thanks for the link. Most of my tools are for generating content (for auto-blogging ) - they call other third party APIs to embed images in between content and also give web links calling Bing APIs enabling users to generate a complete article along with internal links. I will probably have to move the API calling code to the server side to be on the safe side.

1 Like

But if they can see the code calling the API, they can change it. It sounds more like your key(s) leaked, though, and someone is using the most expensive model for free on your dime…

I’d recommend sooner rather than later… I’d change all the API keys while you’re at it (after you have them stored securely on the server…) Even with obfuscation, it’s relatively trivial to find and steal an API key on the public-facing side … Good luck!

API keys have been revoked. Thanks for your advice.

1 Like

No problem. If you need help getting it set up on the server-side, let us know. We’re happy to help.

Sounds like you have an interesting tool. Do you have a project thread here yet in Community section?

No, I do not. I used to be a programmer a few years back - but in older Client Server technologies. I took ChatGPTs help to code the html and JavaScript to develop the tools with the knowledge of programming I have. I tried different ways to store the API key in a config file and tried to have a proxy and php coding - but since I am on a shared hosting site, I had issues and could not get it to work - hence left the API key in the JavaScript in the public_html folder (but obfuscated) . My tools are free to use and I am not making any money out of it. Thanks.

1 Like

The issue here is that the API key is not obfuscated once you make the API request, so anyone can see it clear as day in the network logs (which they would do anyways instead of crawling through your javascript code) unless you are sending it your server, which isn’t ideal either.

1 Like

I was aware about it and paid a small price for it. I am now writing the code needed to move the api keys and all sensitive data to the serverside (php code outside public_html) and hopefully get my tools up and running shortly. Thanks to all of you for your guidance and help.

1 Like

I built three models and can command switch between them. Password protect public facing 4.0 pages.