I am currently developing a SAAS (Software as a Service) application and have encountered a crucial concern regarding the management of OpenAI API keys. As per OpenAI’s clear policy, any misuse or violation of the terms and conditions could result in the suspension or termination of an account. This raises a challenging situation where multiple API keys under one account, each serving different clients, could be affected if even one client violates the policy. I would greatly appreciate your insights and advice on effective strategies for managing API keys in such scenarios. Should I create separate accounts for each client to mitigate the potential risks?
If you pass all input through the moderation endpoint first, you can check for content violations and prevent that request being sent to the model. See OpenAI Platform Moderation guide.
You should also build your moderation policy so that you take control of your companies moderation policies. Ensure your customers know what to expect from your company and use the moderation endpoint as a safeguard.
When you are forming inputs to the API, you can include a “name”, which can be the customer account name.
From the days when OpenAI actually had customer service and account managers you could reach, this would serve to let them know that violation was done by one particular end user.
(scroll to the top of the link for other best practices)
This likely won’t stop the current automated detection of content, and warning or suspension based on it. Instead instruct your AI to deny anything that is not the client’s information domain, and filter the inputs with the moderation endpoint.
Using multiple API keys for your backend doesn’t make much sense, as there is no way to track individual keys by usage or abuse. You instead should monitor client usage yourself.