| No. You go through traditional auth channels (username / password) or you generate a key per app user to talk with your backend. Or, you keep the backend you control open and implement controls to combat abuse, such as rate limiting and ip blacklisting. Whatever chosen, the objective is to protect your API key and make sure the application is being used according to its purpose. An API key directly to openAI allows for any use under the sun — botnets, new prompts, etc., and can drain money, put your account in bad standing, or even get you in (potentially serious) legal trouble. Using your own backend, you can do things like hit the openAI moderation endpoint, inject the correct prompts into whatever you’re sending to openAI, etc. The main thing is you have a limited API specific to your app offering which significantly lowers the damage possible. You absolutely always want to give users the least privilege necessary for whatever use cases being provided for — this protects both you and your users. |