1

The specs:

  • Mobile apps
  • LLM wrapper (of e.g. OpenAI API)
  • The chat history will be stored on the client
  • Backend is needed to manage the api key and to track token consumption / payment (how many tokens does the user/device have left?)

Because we need to track the token consumption, we need some sort of identifier:

  • Device UUID (generated in the client): easy, but seems unsafe
  • User account (e.g. authentication with JWT token)
  • Others (?)

I have been working on the JWT authentication and I'm mostly done, so "more work" would not be a contra anymore. I just took a step back and wondered if it's not overkill for this situation. If it increases the security of the tokens/payments tracking, it seems worth it. Any suggestions?

Improve this question
10
  • please don't cross-post: stackoverflow.com/questions/79657593/… Cross-posting is frowned upon as it leads to fragmented answers splattered all over the network..." Commented Jun 8 at 7:35
  • 1
    @gnat ok, I deleted it from stackoverflow. Commented Jun 8 at 7:38
  • 1
    why do you think its overkill? Commented Jun 8 at 9:03
  • 1
    Link only, so not an answer. OWASP is a good read. Commented Jun 8 at 10:49
  • VISA card number :) Commented Jun 8 at 13:45

1 Answer 1

Reset to default
1

That what cost analysis is all about.

  1. Is it likely that your users would make an extra effort to tamper with the device UUID to get extra tokens?
  2. Why couldn't they just create additional accounts if you use JWT?
  3. How many users would you lose by requiring to authenticate in order to use your service?
  4. What is the cost of (1) using device UUID (seems close to zero), (2) relying on JWT (seems also close to zero in your case given your skills), or (3) designing a mixed approach, such as “you don't need to login to try the service, but once you use N tokens, you have to login to continue”?

The same applies if you expect to use other approaches. For instance, requiring to provide a phone number (and validating it by sending an SMS) makes it less likely that someone would go an extra step to get an additional phone number, but also would reduce the number of potential customers and cost more to implement.

Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.