DEV Community

Cover image for Using leaked OpenAI API keys: it seemed like a good idea… until it wasn’t
Fernando Flores
Fernando Flores

Posted on

Using leaked OpenAI API keys: it seemed like a good idea… until it wasn’t

#ai #openai #beginners #learning

I had one week to deliver a project: a voice-based virtual assistant for desktop with artificial intelligence.

Tigh deadine, high expectations, and important detail: zero budget.

Building an AI from scratch in a week wasn't realistic, so I took the obvious route: using the OpenAI API. It worked greate... until I checked the pricing. For a school project, paying didn't sound very appealing.

So I did what many students under pressure would do: I started looking for alternatives.

The "creative" solution I found on Github

While digging through Github, I came across a repository called "ChatGPT-API-Scanner". really liked the name, i found my solution...

The repository contained a Python script that performs web scraping across GitHub, specifically scanning .env files to find publicly exposed API kets. In other words, it looks for repositories where someone accidentally committed their key.

It sounds bad. Technically, it is, but that's where the uncomfortable question show up:

If someone expose their API key publicly, is using it still stealing?

I'm not justifying it, but when you're on a deadline, the line doesn't feel as clear as it should.

The reality behind "free" API keys

Running the script isn't fast. Each execution takes around 1 to 2hrs. On average, it finds about 10 API keys, but only around 4% of them actually work.

In plain terms, each run gives you 0.4 usable keys.

On paper, it sounds acceptable. After a few runs, something should work. And yes... sometimes it does.

The first key I found worked for five days. The project was going well, the assistant responded correctly, testing was smooth. It felt like I had hack the system

When everythinh breaks

One day before the deadline, the API key stopped working, Expired. No warning. No mercy.

I panicked, ran the script again, waited another eternity, and found a new key. This one worked... for four hours.

The project was due that same day. There was no backup plan.

I ended up buying an official OpenAI API key at the last possible moment.

So... was it worth it?

On paper, using leaked API keys looks like a smart move: not cost, "it works", no one notices

In reality, you lose a lot of hours, it's unrealiable, your project depends on something that can die at any moment, and the stress isn't worth it.

Beyond ethics, there's one key lesson I learned the hard way "Free becomes expensive when you depend on it"

I didn't pay for the API because it was the right thing to do. I paid because it was the only reliable option.

It was ok?

Is it ethical to use publicly exposed API keys?
Is the fault on the person who leaked it, or the one who uses it?
Is saving a few dollars worth risking your entire project?

I don’t have a definitive answer.
But after going through this, one thing is clear to me: if your project matters, don’t build it on something you don’t control.

Sometimes paying isn’t a luxury.
It’s simply the least painful option.

Top comments (0)