While you can remove your payment method, it does not turn off your account. Billing can continue against your credit balance, even going into the negative until an organization is shut off, often requiring hours.
Limits are per-project, and then a separate one for the organization, and are based on monthly usage. They also don’t invoke an immediate shutdown.
Here are ways that your credits can be consumed:
- Playground - This experimentation platform is billed to your account like any other API usage. It does not need an active API key.
- Forgotten keys - there is the possibility of API keys in each project. The project selector is at the top-left of the platform site. Here is an overview link: https://platform.openai.com/settings/organization/api-keys
- Forgotten keys - an account’s “user keys” are in a different location. Full access. Generate a new one and delete others. https://platform.openai.com/settings/profile/api-keys
- Invited organization users - they can bill to your organization with their own keys (https://platform.openai.com/settings/organization/members)
- Invited project members - they can use the project scope, so review members of each organization.
Tips:
- Utilize tracking feature on API keys, and monitor usage page
- Deploy one API key per application, or assign one key per team user (not invites)
- Use keys as securely as bank passwords.
- Never include keys in code.
- Never have client applications that make direct calls to OpenAI, thus giving your secrets to the user.
- Lock down or reset the credentials to your account. Passwords of OpenAI accounts or the authentication method used are high-value targets.
- Turn on two-factor authentication, after ensuring your email address and phone number are still current (they cannot be changed in OpenAI).
- Disable models in projects and endpoints in project API keys that will not be used.