When using OpenAI services, it's crucial to keep both your API key and account secure. This guide offers a detailed look into how you can protect yourself from API key leaks and account takeovers.
Understanding API Key leaks
An API key is essentially your personalized access code to use the OpenAI API. If this key gets leaked, unauthorized users could access the API using your account resulting in unauthorized charges or your account being used to violate our terms of service.
How to prevent leaks
Use environment variables
Store your API key in environment variables within your development environment.
This ensures the key is not hard-coded into your application, making it less likely to be exposed.
If you’re using GitHub Actions, use GitHub secrets to keep your API key secure.
Be cautious when using third-party products
Exercise caution when using third-party libraries, frameworks, or tools that request access to your API key. Even though a product may seem reputable, there's always the risk of key exposure or misuse.
Set reasonable spend limits
Don’t ship your API key
It can be tempted to ship your API key embedded as part of an application to avoid running a server for a mobile app, for example. However, this makes your API key vulnerable to misuse.
Conduct thorough code reviews
Before pushing code to public repositories, always review it to ensure no sensitive information like API keys are exposed.
Use automated scanning tools that can flag potential leaks. You can check out Github’s secret scanning tutorial for more.
When we detect an API key on the public internet or leaked inside an app in the app store, we will disable the API key immediately.
Implement key rotation
Periodically change your API keys by deleting old keys and creating new ones via the API key dashboard.
Understanding account takeovers
An account takeover occurs when someone gains unauthorized access to your account, potentially using our services and leaving you with the bill.
How to prevent account takeovers
Use strong passwords or Google authentication
For passwords, use a combination of upper and lower case letters, numbers, and special characters. We recommend using a password manager to generate and store passwords.
Update your password every few months.
Enable two-factor authentication (2FA)
This adds an extra verification step, usually involving your phone.
Even if someone gets your password, they'd need the second factor to access your account.
Be cautious with emails and links
Be wary of emails that ask for your credentials or direct you to web pages that require you to input your account details.
Always double-check the email address and URL to ensure they're from a trusted source.
What to do if you suspect an issue
If you think your API key has been compromised or suspect unauthorized activity on your account, it's crucial to act quickly:
Delete your API keys
You can delete your API keys via the API key dashboard.
Contact us immediately
The sooner you report the issue, the faster we can help resolve it and minimize any potential damage.
Review Account Activity
Check for any unfamiliar activity on your account, such as unexpected API usage. The detail you provide will help us restore your account.
Security is a shared responsibility. While we take all necessary steps to protect your access, following these guidelines will further safeguard your account. If anyone uses your credentials without your permission, let us know ASAP. We’ll do our best to help.