Securely adding OPENAI_API_KEY #15864
-
|
Hi Everyone 👋, I was trying to setup an remote IDE based out of theia (with AI enabled), which will be running in Docker containers. And I was going through docs to see how can I set the OPENAI_API_KEY, found 2 ways - a) by adding - "ai-features.openAiOfficial.openAiApiKey" in settings.json b) by setting an Environment variable - OPENAI_API_KEY and both of these worked. But both of these exposed the API keys to user. Doc has this line added - Use the environment variable OPENAI_API_KEY to set the key securely.
What are the options available to me to hide the API key from User? Any help is appreciated 🙏🏻. Thanks, |
Beta Was this translation helpful? Give feedback.
Replies: 3 comments 2 replies
-
Beta Was this translation helpful? Give feedback.
-
|
Hi @pawansingh00, That's a good point. We should clarify the text in the future. Security is always relative to the specific use case. What we intended to convey is that passing the Since you're working on a Theia based application, you have full control over how to handle the API key. You can implement your own LLM provider or copy and customize the existing OpenAI integration. In your customization, you could for example hard code the key or retrieve it from a secure external source like a secrets management service. Let me know if you require more information. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks @sdirix That's exactly what I thought, but I just wanted to double-check. Thanks for the confirmation. |
Beta Was this translation helpful? Give feedback.
-
|
@sdirix any reason we're not storing the API key via the credentials service? |
Beta Was this translation helpful? Give feedback.
-
|
Good point, that would also be useful. |
Beta Was this translation helpful? Give feedback.
Hi @pawansingh00,
That's a good point. We should clarify the text in the future. Security is always relative to the specific use case. What we intended to convey is that passing the
OPENAI_API_KEYvia environment variables avoids leaving a potentially unexpected clear text copy of the key on the file system. This text is mainly intended for users of the Theia IDE where this preference will be exposed as-is.Since you're working on a Theia based application, you have full control over how to handle the API key. You can implement your own LLM provider or copy and customize the existing OpenAI integration. In your customization, you could for example hard code the key or retrieve it from a s…