Skip to main content

If I have an app and I want to use ChatGPT, I know not to put the API key hardcoded in the app. So I put it on my own server. What is the strategy for making sure only allowed users can access my app?

For instance, if in my app I require that the user have a subscription to access ChatGPT’s OpenAI endpoint, could I send the anonymous ID to my server, verify that the user is subscribed, and then perform the OpenAI endpoint relay?

Or should I be doing some additional signing in, like with Sign in with Apple?

Thanks!

Hey @Matthew!

In that case, I’d recommend using our REST API from your server to ensure the requesting user has access to the proper entitlement. Without an authentication system, there’s always a risk of users potentially manipulating the request to your server (i.e., just sending a user ID to your server isn’t enough to authenticate).

That being said, you’ll have to weigh the risk of users manipulating each request to your server, vs. the effort of implementing an authentication system. But at least from your server, you can use our API to check whichever user ID is authenticated has access: https://www.revenuecat.com/reference/subscribers


Reply