Just got this from ChatGPT:
Hi there,
We have determined that your OpenAI API key was leaked, and have disabled it with immediate effect.
This may be because you committed your API key to an online service such as GitHub, or your key may have been compromised in another way.
The way I use my key, is through a Xojo desktop app (Windows and Mac) (no git storage of keys).
In code, the key is stored as a constant and used like this:
serverInstance.RequestHeader("Authorization") = K_OPENAI_APIKEY
// Cutting away code where content / messages is being set.
serverInstance.Send("POST","https://api.openai.com/v1/chat/completions",20)
Any thoughts, how it might have been leaked? Anyone had the same problem?
Do you use the key on a different computer recently ?
On two computers at the same time ?
Intensively these last days compared to the previous month ?
An unencrypted string constant is probably included as clear text within the compiled executable. If your app is distributed online, anybody could scan through your executable and see it if they knew what they were looking for.
Not probably, definitely.
You could put your new key into The ZAZ: Xojo String Obfuscator and get back a method that will make it harder to extract the key, but there’s no such thing as impossible in this case. You’re distributing your key inside your app. It’s retrievable one way or another. Oh and for the record, I don’t log a damn thing on my websites. You wouldn’t be leaking it to me, but I can understand caution of course.
The only way to truly protect your key is to run your requests through your own API. Your server makes the request to ChatGPT, thus not revealing your key… but then you need to worry about securing access to your API which has essentially the same problem. OAuth without a secret is a great option for this, but is tricky to implement.
Welcome to security! It’s… not simple.
2 Likes
if you set your key in your distributed app, and let’s say you have 1000 users, then penAI sees 1000 people using the same key at the same time, and thinks it has leaked.
I don’y think you can embed an api key inside a distributed app
you must set a préférence and let the final user insert HIS key.
4 Likes
It might be something like that… although this is supposed to be a valid approach (each distributed app has the key stored)
I am going to change this, by setting up an Edge function within Supabase which takes care of this, so moving the functionality to the API side.
I use an IDE script to obfuscate that’s a modified version of a design from @Kem_Tekinay. I couldn’t find the original on his website, so I’ve pinged him here for credit 
Obfuscate.xojo_script - 3kb
The script is easy to use:
- Install script in
/Xojo/Scripts/
- Select a string literal to obfuscate
- Select File > IDE Scripts > Obfuscate.xojo_script
8 Likes
The error was identified and may serve as a warning to other ChatGPT developers.
Our app can have up to 1,000 users online simultaneously and ChatGPT saw the usage of our single api key as a “leak” / “spam”.
The error: I needed to disable user API keys (within ChatGPT general settings page).
Without this, ChatGPT sees 1,000 users coming in from various IP addresses and interprets it as spam. The solution is either to disable user API keys or, as I also did, move the request to a server-side function.
In my case, I used an edge function within Supabase, which removes the API key from the client. This ensures that ChatGPT sees all requests coming from a single location rather than 1,000 different ones.