Unknown chatgpt 4 api keep cost me

In recent months, I’ve consistently found records of ChatGPT-4 API requests on the API usage page. However, I haven’t provided the option for GPT-4 in my personal web application. I have 2-3 web applications assigned with different APIs, but I can’t determine which specific API made the GPT-4 requests from the usage page. How should I resolve this issue?

Hi and welcome to the developer forum!

How is your API key handled by your application? is it stored in a 3rd party key handling service, an environment variable on your server? Hopefully you have not put your API in your application itself, if you have done that then that will be how someone has taken your key and is now using it for their own purposes, if that is the case you should revoke the key and correct how you are managing your API keys.

1 Like

Hi, I have two web applications. One is a web-based version of ChatGPT that I personally set up and is deployed on my own server. The other is a GPT deployment within an instant messaging tool, hosted in a cloud server container. I’ve stored the API keys in environmental variables. Both applications are set to model 3.5, and there’s no chance I accidentally used gpt 4. I’m struggling to understand how this leakage occurred. Moreover, each leak happens in a concentrated time period, with a sudden burst of requests, occurring 1-2 times a month. I’ve compared the usage page’s timestamp with my application’s logs, and there were no API requests during those times. Additionally, during this period, I’ve switched among different web applications and revoked the API keys multiple times, yet the issue persists. To be honest, I work in network security, so I’ve discussed this problem with my colleagues, but so far, we’re at a loss as to why this is happening. I just hope that OpenAI can tell me which API is calling GPT-4, so I can at least temporarily suspend that application. But it seems the customer service can’t do that.

Ok, well the thing to do then is revoke the current keys, generate new ones and update your environment variables.

Unless someone has access to your server environment, you should then be fine.

1 Like