Atharv Ketkar

BYO API key

When applications like Cursor offer you the chance to use your own API key, how do they implement that? When I am creating a software application that requires some API key, I store it in a secure file that is not exposed to the internet. But how do keys that are explicitly collected from the internet from your users are stored and used? Plus, how are the requests made? Is it client-side or server-side? Wouldn’t ChatGPT get pissed if you send requests that are small in size from like 100 API keys from a single server instead of you just being a good boy and using single API key? So, how do they implement it without getting blacklisted? Or when you are not using your users’ keys and use your own, there might be a limit after which a single key is not able to handle the load. Then you have to create multiple keys. So, how do you manage that process of creating API keys and using them?

And if some applications are using its client-side, that you are storing them on your users’ computers, and they are sending requests to OpenAI or claude, than that means the requests are not that special. Your application is kind of collating some information, inserting some prompt that is gathered from your app, and then it is sent to OpenAI or Claude. So, it is not really different from some Instagram guy saying, “Hey, I will sell you this prompt pack.” But at least it decentralizes the request and won’t flag up the servers.

For for client-set from what I’ve read, they store the keys either locally, or they use a third-party solution that encrypts it, or they just have it for session and dont store it at all.

From claude

Best Practices

  1. For user keys (Cursor model):
    • Store locally, encrypted
    • Never send to your servers
    • Make requests client-side
  2. For your own keys:
    • Use environment variables + secrets manager
    • Implement proper rate limiting
    • Monitor usage and costs
    • Have fallback keys ready
    • Consider usage-based pricing tiers
  3. Hybrid approach:
    • Offer both options: users can BYO key OR use your pooled keys
    • Charge users who use your keys to cover costs

The “Prompt Pack” Comparison

You’re spot on. The difference between:

  • $10 prompt pack: “Here are 50 prompts for coding”
  • $20/month Cursor: “Here’s an app that automatically uses those prompts with your code”

The second is just automated execution of the first with better UX.

Security model in practice

For a serious app:

  • Keys encrypted at rest (AES-256 via KMS)
  • Decrypted only in request scope
  • Never logged
  • Never sent to frontend again
  • Never reused for other users
  • Rotatable