uglyrobot
commented
1 year ago No the key should be able to be defined in the .env file for the server so it’s never exposed.
Open jkomoros opened 1 year ago
uglyrobot
commented
1 year ago No the key should be able to be defined in the .env file for the server so it’s never exposed.
An OpenAI_API_Key is sensitive--anyone who has access to it can incur charges on behalf of whoever's key it is. Polymath is careful in its design to ensure that no one's key is abused, which it could be if it were in the public webclient.
However, that also means that demos are hard to do--you can't send a link and have it work, it needs complex explainers about how to get an OpenAI API key and store it.
We should add ways for people to have an easier demo for people who don't want to go get an OpenAI_API_Key.
Two options, not necessarily exclusive: 1) A similar mechanism to the URL-passing approach of the access token. That is, you can add a parameter to the URL that contains the OpenAI API key, and when the page loads it's stored in local storage and the URL cleared. This one is a little harder to accidentally leave open to misuse. 2) A new property in access.SECRET.json:webclient that sets the openAI key and just embeds it directly in the page. We'd probably want to name this property so it's hard to use accidentally, like
DANGEROUS_demo_openai_api_key.In either case, the host should be encouraged to generate a new secret key that they revoke in the future from their account once they're done with it.