How do I find the owner of an OpenAI API Key?

tl;dr OpenAI provides three types of API keys: Legacy User Keys, Project Keys, and Service Account Keys. All three can query the /v1/me endpoint to retrieve ownership details. TruffleHog automates this process with: trufflehog analyze openai.

Understanding OpenAI API Key Types

OpenAI issues three distinct API key types, each serving a different purpose:

• Legacy User Keys: Older keys tied directly to individual users. They grant access to all organizations and projects associated with the user. While still functional, migrating to Project Keys is recommended for improved security.

• Project Keys: Scoped to a specific project and tied to a user account. If a user leaves the organization, their Project Key is disabled. For long-term system access, use Service Account Keys.

• Service Account Keys: Designed for production systems, these keys are linked to a "bot" user at the organization level. They remain active even if individual users change, ensuring system continuity.

Retrieving API Key Details using TruffleHog

Manually crafting API requests is slow and impractical. Instead, run the following command to automate the process:

trufflehog analyze openai

You’ll be prompted to enter the API key. TruffleHog will then:

1. Authenticate to OpenAI’s API servers.

2. Query the /v1/me endpoint.

3. Extract key details such as:

   • Username

   • Email

   • Phone number

   • Organization details

If the key is a Service Account Key, OpenAI will only return the organizations tied to that key. You can use this information to infer ownership.

Example:

If a Service Account Key is created for a personal organization, the description field will display something like:

Personal Org for [email protected]

Retrieving API Key Details Manually

Prefer a manual approach? Use this cURL command to query key ownership:

curl -H "Authorization: Bearer <API_KEY>"
https://api.openai.com/v1/me

For Legacy User Keys and Project Keys, parse the JSON output and look for:

• email

• name

• phone_number

• orgs

For Service Account Keys, check the description field within the orgs list to determine ownership.

Why This Matters

Identifying the owner of an OpenAI API key is essential for:

• Security: Ensuring only authorized users or services have access.

• Accountability: Tracking API usage back to the responsible entity.

• Maintenance: Managing and rotating keys to prevent unauthorized access.

By leveraging the /v1/me endpoint, you can quickly retrieve key details and take action to secure your OpenAI integrations.