I'm building a Flutter app that requires the OpenAI GPT3 API, and I'm not sure how to implement it. Currently, I'm using a single API key that's stored in a .env file and accessed via the flutter_dotenv package. I'm wondering whether it's best to use this one API key for all users of the app, or whether I should implement an API gateway and generate temporary API keys for each user.
While I don't anticipate reaching the request limit for my single API key after I release the app, I'm uncertain about the best approach. What are the potential downsides to using a single API key for all users, and what are the benefits of generating temporary keys for each user? Would an API gateway be necessary for my use case?
Are you concerned about security or people abusing your tool and hurting your OpenAI API limits?
Security
If you are concerned about security, keep your API key secret, and make sure it does not leak to any frontend or public repo. You can even use secret manager solutions like Doppler, AWS Secret Manager, or 1password for developers.
Cost/API limits
You may want reduce the risk of someone harming your system and potentially costing you thousands of dollars by making a lot of API requests. One solution is to track on your side how many calls are made over a period of time per user. Ex: one user can generate 15 completions per period of 24 hours.
If you offer a paying plan for your service, this is an incentive for people to upgrade.
To fight abuse, OpenAI has also implemented End-user Ids.
You can add a user parameter to your API requests. It will identify which user is responsible for which API call, and eventually, you can shut it down.
Here you can read more in the doc.