Unknows API usage and costs


We have been experiencing issues with our API usage for about a month now. Despite only using GPT-3.5 and Whisper 1, we have noticed unexpected usage of GPT-4, Turbo, and now 4o.

To address this, we generated a new API key today. However, despite our actual usage amounting to only $0.03, we have already been charged $28 just today.

Although we received a refund for the previous unexplained usage, this issue persists.

Has anyone else encountered a similar problem?

Thank you.

This has indeed been experienced before.

It is usually the result of leaked keys.

Such as coding a user client application that makes direct calls to OpenAI with keys in the software.

You may have multiple keys across projects, and organization members you can’t hold accountable, so I would start by generating a new main user API key to be able to delete the prior ones (and don’t write it down or use it), and the same for ever project you have created, if not simply deleting the projects.

Then review “team”, invited members.

A password reset can then follow, which is done at the login screen “I forgot”.

Then after you identify the fault in your processes, you can also use projects and API keys to disable endpoints and models that will not be used, to limit the usefulness of any further exposures.

Thank you for your quick response.

We only use one API key at the moment. We changed the password yesterday and generated a new API key today. Could you please advise on how we can disable endpoints to limit further exposures?

Thank you for your help!

When creating a new API key, you can choose “restricted” to then see the options for endpoints you can disable:

When managing a project that you have selected which contains those keys, you have control of models, which is under settings → project name → allow or block models:


But you must correct your problem also, such as not using the API key in an app that contacts OpenAI instead of connectiong only to your own server based on user accounts.

Thank you for your guidance.

I have made a new API key and restricted most models. I will monitor to see if this helps. Could you explain how your suggestion of using our own server based on user accounts limits usage exactly?

Bad scenario:

You publish an app in an app store. The user’s device makes requests directly to the OpenAI API.

You can have the key stolen by software dumps, by memory dumps, simulators, network attacks, and then employed by state-sponsored bad actors to train adversarial AI products.

Good scenario:

You publish an app in an app store. The user’s device only connects to your backend server, which authenticates the user via an account, and only sends AI language between the client application and your gateway with your own API. The API key is on a secure server and not hard coded anywhere in code that could be sync’d.

You can moderate the user inputs, record usage and abuses, perform know-your-customer and avoid interactions with sanctioned groups or countries it is prohibited by law to transact with, kick off bad users that threaten your own API account for content…

Thank you for your help. We definitely want to implement this approach. What would you recommend we use to create the server and protect the API key? We are using React Native, Expo Go and Pycharm.

Thank you!