[miki123211]

Yes.

Ideally, your application code shouldn't ever need to see your secrets, those should only be accessible to tiny components that only expose the operations that the app actually needs to do.

Instead of your app having an OPENAI_API_KEY, there should be some kind of external HTTP proxy that adds this key whenever the right endpoint is called.

A man can dream though.

[fireant]

This could probably be a generic MITM HTTP proxy as well, keep OPENAI_API_KEY=OPENAI_API_KEY in your .env and then replace this with the real key inside the proxy. It wouldn't need to know anything about endpoints or services.