Ask HN: If you are building OpenAI apps, how do you store user's API key?
This question has been around my mind lately.
The context is, if you are building a web application that allows user to use their own OpenAI API key to interact with OpenAI, how would you store their API key?
1. Local storage, let them send your API key through your server
2. Local storage, and the API key is called right from the user's browser
3. On your server??? How to store it securely? Using a vault manager?
#2 seems like a good choice, but in case you need to secure your prompt, then this is not feasible.
I've been struggling to find a good way to handle this situation.
Anyone have any idea or best practice on how to go about this scenario?
6 comments
[ 3.5 ms ] story [ 25.8 ms ] threador add advertising and make sure you use 3.5
https://openai.com/policies/terms-of-use
The only thing I found was:
You may not (...) (vii) buy, sell, or transfer API keys without our prior consent.
Apologies for sounding like an absolute nerd, but you can go with options 1 and 3 - as long as you ask OpenAI first and get their consent. Also the meaning of "transfer" is a bit murky in my opinion. If I take my API key and write it down in a napkin, technically I've just transferred my API key to a napkin - sorry Mr. Altman!