> ## Documentation Index
> Fetch the complete documentation index at: https://authsome.ai/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# OpenAI

> Store and use your OpenAI API key with authsome. Local encrypted vault, proxy injection, no key in the agent's environment.

OpenAI uses a long-lived API key for every endpoint (`api.openai.com`). Authsome stores the key encrypted in the local vault, injects it at request time through the proxy, and keeps it out of shell history, process listings, and environment dumps.

## At a glance

|                    |                                                                      |
| ------------------ | -------------------------------------------------------------------- |
| Provider name      | `openai`                                                             |
| Display name       | OpenAI                                                               |
| Auth type          | API key                                                              |
| Flow               | `api_key`                                                            |
| Header             | `Authorization: Bearer <key>`                                        |
| Key pattern        | `^sk-[A-Za-z0-9_-]{20,}$`                                            |
| Proxy host         | `api.openai.com`                                                     |
| Env var            | `OPENAI_API_KEY`                                                     |
| Where to get a key | [platform.openai.com/api-keys](https://platform.openai.com/api-keys) |

## Get a key

Create a key in the OpenAI dashboard at [platform.openai.com/api-keys](https://platform.openai.com/api-keys). Keys start with `sk-` followed by at least 20 letters, digits, underscores, or hyphens.

Authsome validates the format on input and rejects pastes that obviously aren't keys:

```text theme={null}
Error: This does not look like a valid OpenAI API key.
Hint: OpenAI API keys start with 'sk-' followed by at least 20 letters, digits, '_' or '-'.
```

## Log in

```bash theme={null}
authsome login openai
```

A local browser form opens at `http://127.0.0.1:7998`. Paste the key into the masked input and submit. The terminal prints `Successfully logged in to openai (default).`

On a headless machine without a graphical session, authsome falls back to masked terminal input via `getpass`. The browser bridge is skipped automatically when no display is available.

Verify:

```bash theme={null}
authsome get openai --field status
# → connected
```

## Use the key

Run the agent under the proxy (recommended).

<CodeGroup>
  ```bash Proxy (recommended) theme={null}
  authsome run -- python my_agent.py
  ```

  ```bash Environment theme={null}
  eval "$(authsome export openai --format env)"
  echo $OPENAI_API_KEY     # sk-...
  ```
</CodeGroup>

Under the proxy, authsome sets `OPENAI_API_KEY=authsome-proxy-managed` in the child's environment and injects the real key into outbound requests to `api.openai.com`. The child process never sees the actual value. With the OpenAI Python SDK, no code change is required: it reads the env var, makes the request, and the proxy substitutes the header on the way out.

## Multiple keys

A personal key and a team key on the same machine:

```bash theme={null}
authsome login openai --connection personal
authsome login openai --connection team
```

Read either side:

```bash theme={null}
authsome get openai --connection team --field api_key --show-secret
authsome export openai --connection personal --format env
```

Pass `--connection <name>` on `login` and on every read command to keep two or more accounts on the same provider side by side. See [Multiple connections per provider](/guides/multiple-connections) for the full pattern.

## Rotate the key

To replace the stored key with a new one:

```bash theme={null}
authsome login openai --force
```

`--force` overwrites the existing connection without removing it first. Pass `--connection <name>` to target a non-default connection.

To invalidate the old key at OpenAI as well, delete it in the OpenAI dashboard before running `--force`.

## Remove the key

```bash theme={null}
authsome logout openai             # remove local credential
authsome remove openai             # remove local provider state entirely
```

API-key providers have no revocation endpoint, so `revoke` and `remove` are equivalent for OpenAI.

## Override the bundled definition

To change the header shape, the proxy host, or the validation regex, drop a custom JSON at `~/.authsome/providers/openai.json`:

```bash theme={null}
authsome inspect openai > ~/.authsome/providers/openai.json
# edit the file
authsome list   # openai now shows source=custom
```

User-registered files always win over bundled definitions.

## Troubleshooting

| Symptom                                            | Likely cause                                                 | Fix                                                                                                        |
| -------------------------------------------------- | ------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------- |
| `Incorrect API key provided` from OpenAI           | Key was revoked at OpenAI                                    | Generate a fresh key and run `authsome login openai --force`.                                              |
| Key pattern rejected at login                      | Pasted something other than a key, or pasted with whitespace | Re-copy the key from the OpenAI dashboard. Authsome trims trailing whitespace but not embedded whitespace. |
| SDK sees `authsome-proxy-managed` and fails        | Running outside `authsome run`                               | Use `authsome run` or fall back to `eval "$(authsome export openai --format env)"`.                        |
| TLS error against `api.openai.com` under the proxy | mitmproxy CA not trusted                                     | See [Proxy networking](/troubleshooting/proxy-networking).                                                 |

For deeper diagnostics, see [Token refresh](/troubleshooting/token-refresh) (API keys don't have refresh, but the page covers when a stored secret is rejected at runtime).

## What's next

<Columns cols={2}>
  <Card title="Run agents with the proxy" icon="shield-halved" href="/guides/run-agents-with-proxy">
    Keep the key out of the agent's environment entirely.
  </Card>

  <Card title="Multiple connections per provider" icon="users" href="/guides/multiple-connections">
    Keep two or more keys on the same provider side by side.
  </Card>

  <Card title="API-key providers" icon="key" href="/integrations/api-key/index">
    All bundled API-key providers.
  </Card>
</Columns>
