I’m working on a project that requires me to use an OpenAI API key. As of now, it’s just “sitting there” in my script.
What is the best way to “hide” it or keep it safe? It’s not my API key, it’s another team member’s key, and I don’t want anything to happen to it.
I know Unity has a Hash function, but doesn’t that require you to pass the key through as a parameter?
What is the best way to keep something like this safe?
The best way is to keep the key on your own backend server and never ever ship it to any client. Have the backend interact with the API and provide your own API for your application. There are no real other ways. In any case where the key is present on the client, someone can steal it since it has to be available in the clear when you use it with the API. Of course you could encrypt it, but the app itself needs to be able to decrypt it, otherwise it can not use it. Everything that happens on the client side is generally unsafe / untrusted. So critical stuff should be done on your own server.
Of course depending on how you setup your own API on your own backend server, someone could still use / abuse your API. Though they are not able to steal your API key since that would be kept secret on the server. When designing your own API you probably want to use some kind of API key of your own (a fix pre.shared key) as well as making sure you have something like a rate-limit for each user and or limit what you can actually do. The exact details depends on your usecase though.
A hash function is NOT encryption. This is a common mistake. A hash function is a one-way cipher and the main property is that it generally can not be reversed. OpenAI requires your actual key and not just the hash of the key. If you only store the hash of your key, you can not reconstruct your key which you need for the API.