0

I want to embed a chat GPT inside our SharePoint and i found this web part @ https://github.com/pnp/sp-dev-fx-webparts/tree/main/samples/react-chat-gpt .but the issue is that it stores the Chat GPT API key inside the web part properties which will be available to all users ,,,so is this fine from a security perceptive ?

Thanks

Improve this question

1 Answer 1

Reset to default
2

No, secret API keys shouldn't be shared client side. If you're exposing the API key client side, then a user could share it with other people outside of your organisation. OpenAI have provided some best practices for API key safety:

Best Practices for API Key Safety

Improve this answer
4
  • yes i agree the approach is very unsecure.. so could this SPFx provides a more secure way @ github.com/pnp/sp-dev-fx-webparts/tree/main/samples/… where the api key will be stored inside azure function app settings? Commented Mar 6, 2023 at 14:10
  • 1
    Looking at that SPFx project, it doesn't store the API key in the SPFx web part settings. A prerequisite of the project is to create an Azure Function app where the API key is stored as an app setting. Commented Mar 6, 2023 at 14:14
  • so it should be fine to use it then, as the azure function configuration settings are secured, am i correct? Commented Mar 6, 2023 at 14:22
  • 1
    Correct, it's not using web part settings to store the API key. Azure web app settings are only accessible to those with access to the web app settings and the app itself. I personally, would store the API key in an Azure Key Vault and access the API from the Key Vault using managed identity. Commented Mar 6, 2023 at 14:26

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.