OpenAI API Key
ID |
openai_apikey |
Severity |
high |
Vendor |
OpenAI |
Family |
API Token |
Description
OpenAI is an AI-based service used for understanding or generating natural language, code, or images. It provides an API to interact with a Large Language Models (LLM).
This detector looks for hardcoded API keys for this service.
Security
Any hardcoded OpenAI API Key is a potential secret reported by this detector.
If this key is accidentally leaked, for example during a commit to a code repository, your OpenAI account could be at risk.
Examples
# This is a project API Key openai_api_key = "sk-proj-IbZMaRbSKbcvf7tIWp0lT3BlbkFJ2ZAhT4Wkn62my7afNNYI" # And this is a legacy user API Key openai_api_key = "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"
Mitigation / Fix
-
Follow your policy for handling leaked secrets, which typically require revoking the secret in the target system(s). Go to Project API Keys or User API Keys.
-
Remove the OpenAI API Key from the source code or committed configuration file.
-
If under a git repository, you may remove unwanted files from the repository history using tools like
git filter-repoorBFG Repo-Cleaner. You may follow the procedure listed here for GitHub.You should consider any sensitive data in commits with secrets as compromised.
Remember that secrets may be removed from history in your projects, but not in other users' cloned or forked repositories.
-
Check access logs to ensure that the secret was not used by unintended actors during the compromised period. Go to Usage:Activity to look for suspicious activity.
-
You may consider additional mitigation controls to limit the impact of future leaks. Follow the recommendations on API keys security.