How I Stole Your ChatGPT API Keys | by Jacob Bartlett | Feb, 2025 ...
Member-only story
The AI gold-rush is in full swing. And in a gold rush, baddies will steal shovels. One deadly mistake is commonplace: bundling ChatGPT API keys directly into your shiny new AI app. This makes it trivial to steal your keys, burn through your credits, and rack up painful bills.
Understanding the Security Law
Today, I’ll explain a fundamental Security Law: Don’t store API keys on the client. Like, ever. I’ll demonstrate two techniques that allow bad actors to access your API keys, and show you how to avoid the same fate. If you’re storing API keys on your device, you might employ various levels of sophistication to protect them. I’ll go through the most popular approaches in detail, and demonstrate how easily they are circumvented.
This is usually the first approach engineers take, prior to becoming securitypilled. When requesting data from an API, you’ll write something like this:
Coding tutorials and news. The developer homepage gitconnected.com & skilled.dev & levelup.dev
I'm an iOS Engineer in London startups. Every 2 weeks, I'll send you ludicrously in-depth articles about iOS, Swift, tech, and indie projects.
HelpStatusAboutCareersPressBlogPrivacyTermsText to speechTeams
