Urgent Clarifications Needed on BYOK (Bring Your Own Key) and OAuth for OpenAI API

API
1

Many developers who are incorporating the OpenAI API in their apps are considering enabling a BYOK (Bring Your Own Key) feature for their users or implementing an OAuth solution.

Surprisingly, OpenAI’s current terms of service, usage policies, and documentations are silent on this matter. I’m sure many in this community would appreciate explicit guidelines - as this could have significant implications on how we build and scale applications.

This is especially concerning given that some apps already allow users to bring their own keys as part of their business model. What if their apps are taken down due to policy violations they weren’t even aware of? I think this matter requires urgent attention.

Critical Questions:

  1. Is it permitted for users of our apps to bring their own OpenAI API key for chat/text generation?
  2. If BYOK is allowed what are the best practices for securely enabling users to input their own API keys?
  3. Does OpenAI’s API support OAuth for authentication or plan to add this feature?

Looking forward to your insights and advice.

1 Like
2

Hey champ!

You’re right, there used to be something more specific in the documentation about BYOK applications, but the best answer I can currently offer is this:

…You may not make your access credentials or account available to others outside your organization, and you are responsible for all activities that occur using your credentials.

From section 1 of the Terms of Use

So to offer some advice on questions 1 & 2.

  • Do not share API keys, it’s a bad idea and it’s also against OpenAI’s policies.

  • OpenAI API keys are not intended for end users, their intended use is for developers who want to integrate OpenAI’s products into their services.

  • BYOK applications are not specifically banned, they are great for Open Source development or when you’re creating something for MegaCorp-9000® who wants to manage their own access & usage. It’s a really bad idea to create a “make AI do xyz” website that requires the user to share their API so that said website can make calls on their behalf.

Regarding question 3:

There’s currently no support for this feature, and I haven’t heard about any plans to add it.

I hope that helps :heart:

1 Like
4

Thanks

But this is information we already know. I’m hoping for official clarifications or insights.

5

Understandable,
Multiple people have already asked for clarification on the subject, and OpenAI has been made aware of the issue. There is not much else we can do at this point other than waiting.

2 Likes
6

I would also like to ask the OpenAI team,

Is BYOK allowed if using specialized service specifically for storing sensitive data like API keys in a zero-knowledge or end-to-end encrypted manner?

For example can we use:

Azure Key Vault : allows for secure storage of keys, secrets, and certificates.

or

Google Cloud’s Secret Manager : allows managing sensitive data.

7

This is the community developer forum. OpenAI staff are rarely here. If you’re seeking a response directly from OpenAI, your best bet is to head over to https://help.openai.com/en/ or email them directly at support@openai.com.