Ask HN: If you are building OpenAI apps, how do you store user's API key?

7 points by huydotnet ↗ HN
This question has been around my mind lately.

The context is, if you are building a web application that allows user to use their own OpenAI API key to interact with OpenAI, how would you store their API key?

1. Local storage, let them send your API key through your server

2. Local storage, and the API key is called right from the user's browser

3. On your server??? How to store it securely? Using a vault manager?

#2 seems like a good choice, but in case you need to secure your prompt, then this is not feasible.

I've been struggling to find a good way to handle this situation.

Anyone have any idea or best practice on how to go about this scenario?

6 comments

[ 3.5 ms ] story [ 25.8 ms ] thread
Why not use your own api key and collect payment from your customers?

or add advertising and make sure you use 3.5

yes that’s the approach most people using. the thing is, some users may have access to gpt-4 themselves, or company paid for it and they want to use it with our service (and to make it more “reasonable”, the developer do not have access to gpt-4)
It’s technically prohibited by OpenAI’s ToS to share your key with any third party, so presumably options 1 and 3 could get your users’ accounts banned. That being said, until OpenAI releases some kind of OAuth, there isn’t a great option unless your app is entirely client side.
Can you point out where exactly? Looking at this:

https://openai.com/policies/terms-of-use

The only thing I found was:

You may not (...) (vii) buy, sell, or transfer API keys without our prior consent.

Apologies for sounding like an absolute nerd, but you can go with options 1 and 3 - as long as you ask OpenAI first and get their consent. Also the meaning of "transfer" is a bit murky in my opinion. If I take my API key and write it down in a napkin, technically I've just transferred my API key to a napkin - sorry Mr. Altman!

(comment deleted)