search

openai / openai-openapi

OpenAPI specification for the OpenAI API
https://platform.openai.com/docs/api-reference/introduction
MIT License
1.24k stars 359 forks source link

gpt-4o model #274

Open xiejie2438 opened 3 months ago

xiejie2438 commented 3 months ago

The model I passed in using the open AI API is gpt-4o, but I saw in the bill that my API key has the number of calls to other models. Does the gpt-4o model automatically convert to other models?

benadamdev commented 3 months ago

No, it doesn't. I think your API key was breached. You need to disable it and create a new one. If you're exposing the key inside a client (e.g iOS or Android app), you have to think of using a backend proxy.

xiejie2438 commented 3 months ago

No, it doesn't. I think your API key was breached. You need to disable it and create a new one. If you're exposing the key inside a client (e.g iOS or Android app), you have to think of using a backend proxy.

I have replaced the key, but there will still be calls to other models image

benadamdev commented 3 months ago

It was breached again. Every network request you make to OpenAI is sniffable. Your only chance at fighting this is building your own backend or trying some service like https://www.aiproxy.pro I haven't tried them myself but I built my own proxy. Good luck

xiejie2438 commented 3 months ago

Our requests to open AI are all initiated by backend services, not by clients such as browsers.

benadamdev commented 3 months ago

Someone must be using that key. I don't think there is any other explanation.

montesclarosglennbenedict commented 3 months ago

As @benadamdev said, the API key was likely compromised. Even if the requests are initiated by backend services, if the key is stored or transmitted insecurely it can be intercepted.

Have you considered internal misuse of the API key? Perhaps even backend services being compromised using whatever third-party packages you may be using.

Monitor the usage logs, check the security of the backend services, and like @benadamdev use a proxy service. Wishing you luck with this one!

mdegans commented 3 months ago

Every network request you make to OpenAI is sniffable.

This is not true. If your client is using TLS the key is not sniffable. So far as I know all generators use this by default.

https://www.aiproxy.pro

Passing your API key through some random third party is an awful idea.

I might suggest @xiejie2438 scan for malware locally. There is a lot that will steal OpenAI API keys.

StephenHodgson commented 3 months ago

Passing your API key through some random third party is an awful idea.

Agreed, that is why I have a self hosted proxy service in my C# generated client.

Typically auth through 3rd party OAuth provider (like google or firebase) then use their token in exchange for real key on self hosted reverse proxy.