You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This is more of a question: Is it safe to include the API in the html as its described in the README? This seems like anyone can grab your OpenAI API key and use for their own purposes. To secure the API key, the key would need to be domain locked which, to my knowledge, OpenAI does not currently support client side keys that can be domain locked.
As an alternative, this tool can implement the ability to specify an alternative backend, such as our own server which holds the API key securely. Then our own server can validate something like CSRF token to ensure the request comes from html that is served on a legitimate host before proxying to OpenAI API. It's obviously a bit slower and involves having a host that can do this, but it's way more secure.
The text was updated successfully, but these errors were encountered:
This is more of a question: Is it safe to include the API in the html as its described in the README? This seems like anyone can grab your OpenAI API key and use for their own purposes. To secure the API key, the key would need to be domain locked which, to my knowledge, OpenAI does not currently support client side keys that can be domain locked.
As an alternative, this tool can implement the ability to specify an alternative backend, such as our own server which holds the API key securely. Then our own server can validate something like CSRF token to ensure the request comes from html that is served on a legitimate host before proxying to OpenAI API. It's obviously a bit slower and involves having a host that can do this, but it's way more secure.
The text was updated successfully, but these errors were encountered: