openai-openapi icon indicating copy to clipboard operation
openai-openapi copied to clipboard
verified publisher icon openai

gpt-4o model

Open xiejie2438 opened this issue 1 year ago • 8 comments

The model I passed in using the open AI API is gpt-4o, but I saw in the bill that my API key has the number of calls to other models. Does the gpt-4o model automatically convert to other models?

xiejie2438 avatar Jun 06 '24 07:06 xiejie2438

No, it doesn't. I think your API key was breached. You need to disable it and create a new one. If you're exposing the key inside a client (e.g iOS or Android app), you have to think of using a backend proxy.

benadamdev avatar Jun 06 '24 08:06 benadamdev

No, it doesn't. I think your API key was breached. You need to disable it and create a new one. If you're exposing the key inside a client (e.g iOS or Android app), you have to think of using a backend proxy.

I have replaced the key, but there will still be calls to other models image

xiejie2438 avatar Jun 06 '24 09:06 xiejie2438

It was breached again. Every network request you make to OpenAI is sniffable. Your only chance at fighting this is building your own backend or trying some service like https://www.aiproxy.pro I haven't tried them myself but I built my own proxy. Good luck

benadamdev avatar Jun 06 '24 09:06 benadamdev

Our requests to open AI are all initiated by backend services, not by clients such as browsers.

xiejie2438 avatar Jun 06 '24 09:06 xiejie2438

Someone must be using that key. I don't think there is any other explanation.

benadamdev avatar Jun 06 '24 11:06 benadamdev

As @benadamdev said, the API key was likely compromised. Even if the requests are initiated by backend services, if the key is stored or transmitted insecurely it can be intercepted.

Have you considered internal misuse of the API key? Perhaps even backend services being compromised using whatever third-party packages you may be using.

Monitor the usage logs, check the security of the backend services, and like @benadamdev use a proxy service. Wishing you luck with this one!

montesclarosglennbenedict avatar Jun 12 '24 17:06 montesclarosglennbenedict

Every network request you make to OpenAI is sniffable.

This is not true. If your client is using TLS the key is not sniffable. So far as I know all generators use this by default.

https://www.aiproxy.pro

Passing your API key through some random third party is an awful idea.

I might suggest @xiejie2438 scan for malware locally. There is a lot that will steal OpenAI API keys.

mdegans avatar Jun 24 '24 19:06 mdegans

Passing your API key through some random third party is an awful idea.

Agreed, that is why I have a self hosted proxy service in my C# generated client.

Typically auth through 3rd party OAuth provider (like google or firebase) then use their token in exchange for real key on self hosted reverse proxy.

StephenHodgson avatar Jun 24 '24 19:06 StephenHodgson