| For some developers, this is sort of intentional. The reason is at least twofold: 1) Calling OpenAI directly is one less hop, so user gets lower latency 2) Not having to set up / maintain a backend server = get to market faster There are some very popular GPT apps recently that are obviously putting their API keys on the client side - won't name them but they've been featured quite a bit. The downside is not as bad as people think. Worst case, someone takes your key and what, plugs it into their own app, costing you a few bucks? - OpenAI keys have a hard budget limit that requires manual approval by OpenAI anyway - Not much privacy risk - unlike other API keys, OpenAI APIs don't allow you retrieve previous data AFAIK. There are some APIs to fine-tune models, but I seriously doubt any of these consumer apps are doing this now. - You can just create a new version later and revoke the old key. And now you've broken the thief's app. My guess is the developers were well aware of the tradeoffs. Just felt it was more important to get to market faster, than to batten down all the hatches. They're probably right? |