Protect your OpenAI key in 5 minutes
Replace your real OpenAI API key with a host-bound sanitized token that is worthless if stolen. No SDK changes - just two environment variable updates.
Prerequisites
- A KeyVault Edge account (free)
- An active OpenAI API key
- A project using the OpenAI Node.js or Python SDK
Step 1: Create a sanitized token
In the KeyVault Edge dashboard, go to Tokens → New Token.
Select OpenAI as the target provider. Enter your real OpenAI API key - it will be encrypted and stored in our HSM.
Add your authorised origins: yourdomain.com, staging.yourdomain.com, and localhost for local development.
Copy the generated sanitized token - it looks like kve_hb_....
Step 2: Update your environment variables
.env.local
# Replace your real key with the sanitized tokenOPENAI_API_KEY=kve_hb_<YOUR_TOKEN_HERE> # Point the SDK at our proxyOPENAI_BASE_URL=https://openai.keyvaultedge.com/v1This file is now safe to commit. The sanitized token is worthless outside your authorised origins.
Step 3: Verify
Terminal
# Your existing code works unchangednode -e "const OpenAI = require('openai');const openai = new OpenAI();openai.models.list().then(r => console.log('✓ Connected:', r.data.length, 'models'));"That's it
Real OpenAI key never in your codebase or deployment env
Breach alert fires if anyone tries to use your token from an unauthorized origin
Request logs in the KeyVault Edge dashboard