Strategy for protecting API keys, like for ChatGPT or another service, using RevenueCat

Question

If I have an app and I want to use ChatGPT, I know not to put the API key hardcoded in the app. So I put it on my own server. What is the strategy for making sure only allowed users can access my app?

For instance, if in my app I require that the user have a subscription to access ChatGPT’s OpenAI endpoint, could I send the anonymous ID to my server, verify that the user is subscribed, and then perform the OpenAI endpoint relay?

Or should I be doing some additional signing in, like with Sign in with Apple?

Thanks!

icon

Best answer by cody 29 September 2023, 22:19

View original

cody · Accepted Answer

Hey @Matthew!In that case, I’d recommend using our REST API from your server to ensure the requesting user has access to the proper entitlement. Without an authentication system, there’s always a risk of users potentially manipulating the request to your server (i.e., just sending a user ID to your server isn’t enough to authenticate).That being said, you’ll have to weigh the risk of users manipulating each request to your server, vs. the effort of implementing an authentication system. But at least from your server, you can use our API to check whichever user ID is authenticated has access: https://www.revenuecat.com/reference/subscribers

Strategy for protecting API keys, like for ChatGPT or another service, using RevenueCat

1 reply

Reply

Reply

Sign up

‏‏‎ ‎

Log in to the Community

‏‏‎ ‎

Scanning file for viruses.

This file cannot be downloaded