I’m building a Flutter app that requires the OpenAI GPT3 API, and I’m not sure how to implement it. Currently, I’m using a single API key that’s stored in a .env file and accessed via the flutter_dotenv package. I’m wondering whether it’s best to use this one API key for all users of the app, or whether I should implement an API gateway and generate temporary API keys for each user.
While I don’t anticipate reaching the request limit for my single API key after I release the app, I’m uncertain about the best approach. What are the potential downsides to using a single API key for all users, and what are the benefits of generating temporary keys for each user? Would an API gateway be necessary for my use case?
2
Answers
There are benefits and donwsides on both approches. I would recommend you go with single API key for sake of simplicity and API keys management, if you don’t anticipate reaching the limits of OpenAI API. That means easy to implement and less management.
Downsides of using a single API key: security risk if it gets exposed, just make sure it doesn’t leave your backend to your frontend, you’ll have to manage/limit individual users using your user managment service, and finally if you reach the rate limiting it’ll affect all users.
Benefits of using using an API key per-user, downsides opposite: more security reducing risks, control of quotas per-user and rate limiting without affecting other users.
You should decide what’s best suited for your use case.
Are you concerned about security or people abusing your tool and hurting your OpenAI API limits?
Security
If you are concerned about security, keep your API key secret, and make sure it does not leak to any frontend or public repo.
You can even use secret manager solutions like Doppler, AWS Secret Manager, or 1password for developers.
Cost/API limits
You may want reduce the risk of someone harming your system and potentially costing you thousands of dollars by making a lot of API requests.
One solution is to track on your side how many calls are made over a period of time per user.
Ex: one user can generate 15 completions per period of 24 hours.
If you offer a paying plan for your service, this is an incentive for people to upgrade.
To fight abuse, OpenAI has also implemented End-user Ids.
You can add a user parameter to your API requests. It will identify which user is responsible for which API call, and eventually, you can shut it down.
Here you can read more in the doc.