from Hacker News

Ask HN: If you are building OpenAI apps, how do you store user's API key?

by huydotnet on 6/12/23, 8:47 PM with 5 comments

This question has been around my mind lately.

The context is, if you are building a web application that allows user to use their own OpenAI API key to interact with OpenAI, how would you store their API key?

1. Local storage, let them send your API key through your server

2. Local storage, and the API key is called right from the user's browser

3. On your server??? How to store it securely? Using a vault manager?

#2 seems like a good choice, but in case you need to secure your prompt, then this is not feasible.

I've been struggling to find a good way to handle this situation.

Anyone have any idea or best practice on how to go about this scenario?

  • by cddotdotslash on 6/12/23, 10:25 PM

    It’s technically prohibited by OpenAI’s ToS to share your key with any third party, so presumably options 1 and 3 could get your users’ accounts banned. That being said, until OpenAI releases some kind of OAuth, there isn’t a great option unless your app is entirely client side.

  • by sharemywin on 6/12/23, 9:06 PM

    Why not use your own api key and collect payment from your customers?

    or add advertising and make sure you use 3.5

  • by revskill on 6/13/23, 12:25 AM

    Definitely local storage.