Forum Discussion

JohnCooper-be3c's avatar
JohnCooper-be3c
Community Member
7 days ago

 @GarimaGupta-0f5 Please be VERY careful about this approach. Running your demo means I would be able to see your API Service Key i.e. the API key you are using to call your arthalearning.com AI proxy service. It is definitely NOT OK to include an API service key in your client side JavaScript code. Anything that runs in the browser means:

  • Learners can see it
  • Anyone can copy it
  • Anyone can reuse it outside the course

That means:

  • Unauthorized API usage
  • Possible abuse of the AI service

If you were to expose an OpenAI API Key in this way you would almost certainly be breaching their terms of use.

The correct way to do this is

Client (Storyline / browser):

  • Sends learner text only
  • NO API keys

Server (secure backend app that):

  • Stores the AI key safely (as an env variable)
  • Validates requests
  • Calls AI Service
  • Returns sanitized results

 

  • GarimaGupta-473's avatar
    GarimaGupta-473
    Community Member
    5 days ago

    Hi John, 

    You are absolutely right, direct api calls via Javascript from Storyline exposes the API key. There is no way to send it as a secure environmental variable from client side though, so you must have a dedicated server that can put in your api key for you. 

    The way we handle it in AIReady is an interesting workaround. API keys can be 'tied' to your domain, and that is checked on server end. Traffic is only let through if it's coming from a whitelisted domain, such as your LMS. Also, the api key is not openai's key - it is a api to the server itself - and has hard limits set to avoid abuse. 

    Happy to chat more about it, it is fascinating stuff balancing security, innovation and learner experience. 

    Cheers,

    Garima.