Thread content accessible even if created from another apiKey

I should make it reproducible, I know, I worked in QA for 10+ years, but now I am “retired” so I am getting lazy :slight_smile:

This is what happened: I was playing with two different API keys of 2 different accounts, and since there is still no way to get a list of threads, I was saving all the thread IDs in my DB.

Then, spring cleaning time comes, and I try to delete the threads I do not need anymore.
Well, with the same API key I can SEE them, and I can read the WHOLE content (all the ‘dialogue’ so to speak) but if I try to delete it…
This is the response from the delete thread API call:

[error] => Array
    (
        [message] => No thread found with id 'thread_3cJXb4eJ1cKuJ1gF8FarBG6S'.
        [type] => invalid_request_error
        [param] => 
        [code] => 
    )

But if I use

https://api.openai.com/v1/threads/thread_3cJXb4eJ1cKuJ1gF8FarBG6S/messages

then I can read it all.
So, either the delete has some problems, or the fact that I can list the content of the thread without the correct API key is… Well, wrong, right?

BTW I will leave that ID alive for the time being, to see if you can access it with your own key…

1 Like

Please check the permissions of both of your API keys in the platform dashboard.

It’s possible one key has read-only permissions while the other key has write permissions.