We have seen a massive increase in usage on a specific api key that we cannot find in our app.
It has a key_cyX…. format.
It is also using the 5.2 model, which under our logs isn’t even showing up and I’ve not made anything using that model.
I cannot get support to answer me.
I turned off billing to stop the charges for now but we need to use the API.
Hi and welcome to the community!
Let’s try to figure this out.
OpenAI has never used API keys with a “key_” prefix. OpenAI API keys have a “sk-” or more recently a “sk-proj-” or “sk-admin-” prefix.
Is this a key from an internal or third party app?
What do you see in the users and API keys section of the usage dashboard?
One way forward could be to revoke all existing keys and implement new ones with proper rights management.
Thank you.
The name under usage is a name we don’t have in our api keys list
This is why I am so confused. How can we be billed for a key we don’t see in our list.
Yeah, that doesn’t look like platform.openai.com.
Are you using a wrapper maybe?
Thanks. I’m not sure what you mean by wrapper?
This is a key assigned to another user in my organization, so I’d need to ask them but I need more details on what you mean by wrapper.
Also, even if this is a ‘wrapper’ how does this not show as a key on my account.
Maybe some kind of Oauth login?
Those screenshots are from platform.openai.com
Ok. Let me just share my thoughts and observations:
When you go to the API keys page you should find the api-key with the name key_xyz.
But, you shared a screenshot where this key is not shown.
The question if this is an OpenAI API key, is answered. The ‘key_xc’ is the label that was assigned to the key when it was created.
You can check if there is a legacy key here:
https://platform.openai.com/settings/profile?tab=api-keys
@vb - This looks very promising. Checking with that user. Thank you.
@vb - I checked mine and his, neither have any keys with that naming on our legacy api keys.
We both only have 1 default project too.
Ok. I see it now.
The API key with the prefix ‘key_’ most likely belongs to a service account. These are programmatically created via an admin key.
On the people page for your project you may see a user with a little bot icon.
These accounts and their keys can be created and removed on the fly. It’s possible that it’s already been deleted. In this case I strongly suggest to revoke the admin keys for your organization.
Edit-Addendum:
Why do I think it’s a service account?
In the API spec the returned object for the example call to create a service account includes an id with the prefix ‘key_’.
When creating a service account we retrieve an API key with this prefix.
I think that’s confusing and will look into this a bit further.
@vb Thank you for your continued help.
I don’t think we have any Admin keys created. I would see them here right?
https://platform.openai.com/settings/organization/admin-keys
No bots in the people either.
