Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Why is this post published in November 2025 talking about GPT-4?

I'm suspicious of their methodology:

> Open DevTools (F12), go to the Network tab, and interact with their AI feature. If you see: api.openai.com, api.anthropic.com, api.cohere.ai You’re looking at a wrapper. They might have middleware, but the AI isn’t theirs.

But... everyone knows that you shouldn't make requests directly to those hosts from your web frontend because doing so exposes your API key in a way that can be stolen by attackers.

If you have "middleware" that's likely to solve that particular problem - but then how can you investigate by intercepting traffic?

Something doesn't smell right about this investigation.

It does later say:

> I found 12 companies that left API keys in their frontend code.

So that's 12 companies, but what about the rest?



Providers such as OpenAI have client keys so your client application can call the providers directly. Many developers prefer them as they save roundtrip costs and latency.

https://platform.openai.com/docs/api-reference/realtime-sess...


Do those still only work for the voice APIs though?

I've been hoping they would extend that to other APIs, and I'd love to see the same kind of mechanism for other providers.

UPDATE: I dug I to this a bit more and as far as I can tell OpenAI are still the only major vendor with a consumer key mechanism and it still only works for their realtime voice APIs.


That's a big llm smell when it mentions old models like GPT-4




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: