The primary risk: Key exposure in client-side applications

The fastest way to build an AI feature is to call the OpenAI SDK directly from the mobile app or browser frontend. However, this pattern is a major vulnerability. Since client-side code is entirely public, any API key embedded in a mobile APK or JavaScript bundle is easily extracted.

Attackers use basic static analysis or proxy interception to capture your sk-... keys. Once they have your key, they can:

We recommend routing all LLM requests through a backend proxy that handles authorization, request sanitization, and rate limits.

Pentest finding

OpenAI API key extracted from mobile client bundle

During a security audit of a micro-finance app, we decompiled the Android application bundle. Inside the compiled JavaScript asset file, we found an active OpenAI API key with access to their production workspace. The key had no budget limits configured, exposing the company to unlimited billing risk.

Building a secure OpenAI proxy

Instead of calling OpenAI directly from client-side code, implement a secure backend route. The client calls your backend, and your backend forwards the sanitized request to OpenAI.

This allows you to control exactly how the API key is used:

// SECURE: Backend proxy using Express
app.post('/api/chat', async (req, res) => {
  // 1. Verify user session
  if (!req.session.userId) {
    return res.status(401).json({ error: "Unauthorized" });
  }

  // 2. Rate limit requests per user
  const limitReached = await checkRateLimit(req.session.userId);
  if (limitReached) {
    return res.status(429).json({ error: "Too many requests" });
  }

  // 3. Forward request to OpenAI securely
  const response = await openai.chat.completions.create({
    model: "gpt-4o-mini",
    messages: [{ role: "user", content: req.body.message }]
  });

  res.json(response);
});

Restricting OpenAI Project Keys

If you are using OpenAI in production, do not use a single administrator API key. OpenAI supports Project and Organization Keys.

Set up isolated keys for each environment (staging vs production) and assign them limited permissions. For instance, your staging API key should not have the rights to modify training data or delete custom models.

Configure hard billing limits in your OpenAI dashboard. Set up notifications to alert your engineering team if usage spikes unexpectedly.

OpenAI API Security Checklist

To make sure your integration is secure, follow these steps:

  1. No Keys in Frontend Code: Never allow sk-... strings to exist in client-side codebases.
  2. Rotate Keys Regularly: Implement a process to rotate API credentials every 90 days.
  3. Validate Inputs: Check incoming client text for command keywords or long injection payloads before sending them to OpenAI.

Let Simpa Labs audit your API integrations

We specialize in identifying exposed credentials and API logic vulnerabilities. We will review your mobile app binaries, check your backend proxies, and verify your rate limit setups to keep your infrastructure safe.

Book an API Security Review