How do I find the owner of an OpenAI API Key?
tl;dr OpenAI provides three types of API keys: Legacy User Keys, Project Keys, and Service Account Keys. All three can query the /v1/me
endpoint to retrieve ownership details. TruffleHog automates this process with: trufflehog analyze openai
.
Understanding OpenAI API Key Types
OpenAI issues three distinct API key types, each serving a different purpose:
Legacy User Keys: Older keys tied directly to individual users. They grant access to all organizations and projects associated with the user. While still functional, migrating to Project Keys is recommended for improved security.
Project Keys: Scoped to a specific project and tied to a user account. If a user leaves the organization, their Project Key is disabled. For long-term system access, use Service Account Keys.
Service Account Keys: Designed for production systems, these keys are linked to a "bot" user at the organization level. They remain active even if individual users change, ensuring system continuity.
Retrieving API Key Details using TruffleHog
Manually crafting API requests is slow and impractical. Instead, run the following command to automate the process:

You’ll be prompted to enter the API key. TruffleHog will then:
Authenticate to OpenAI’s API servers.
Query the
/v1/me
endpoint.Extract key details such as:
Username
Email
Phone number
Organization details

If the key is a Service Account Key, OpenAI will only return the organizations tied to that key. You can use this information to infer ownership.
Example:
If a Service Account Key is created for a personal organization, the description
field will display something like:
Personal Org for [email protected]
Retrieving API Key Details Manually
Prefer a manual approach? Use this cURL
command to query key ownership:
For Legacy User Keys and Project Keys, parse the JSON output and look for:
email
name
phone_number
orgs
For Service Account Keys, check the description
field within the orgs
list to determine ownership.
Why This Matters
Identifying the owner of an OpenAI API key is essential for:
Security: Ensuring only authorized users or services have access.
Accountability: Tracking API usage back to the responsible entity.
Maintenance: Managing and rotating keys to prevent unauthorized access.
By leveraging the /v1/me
endpoint, you can quickly retrieve key details and take action to secure your OpenAI integrations.
STAY STRONG
DIG DEEP
DOING IT THE RIGHT WAY
SINCE 2021
© 2025 Truffle Security Co.