How to Register for the OpenAI API and Create a Secure API Key
Creating an OpenAI API key is easy. Creating an OpenAI API key that won't accidentally leak into GitHub, get scraped from your website, or rack up surprise charges? That's the real game. This guide walks you through signup, prepaid billing (credit "top-ups"), project-scoped keys, and the practical security rules you should follow before you ship anything to production.
Before You Start: What You'll Need
Have these ready so you don't get interrupted mid-setup:
- An OpenAI account — email access for verification.
- A phone number — phone verification is required on the API platform to generate your first API key (not necessarily for later keys).
- A payment method — most new API accounts are on prepaid billing, meaning you'll add credits upfront.
- A place to store secrets — environment variables, a password manager, or a secret manager (details below).
[Image: Screenshot of the OpenAI API platform signup/login screen and the "Settings" menu on the dashboard.]
Important: ChatGPT Billing vs API Billing (They're Separate)
A common "wait, what?" moment: subscribing to ChatGPT (Plus/Business/Enterprise) does not include API usage. API billing lives on the API platform and is charged separately.
Quick rule of thumb
ChatGPT plans cover usage in the ChatGPT app.
OpenAI API covers usage in your software, automations, backends, bots, and integrations.
Step-by-Step: Register on the OpenAI API Platform
1) Create your account and access the dashboard
- Go to the OpenAI API platform and sign up or log in.
- Verify your email if prompted (check spam/junk if you don't see it).
- Open the dashboard — this is where you'll manage projects, billing, usage, and API keys.
If you run into login/verification issues, OpenAI's Help Center has troubleshooting guidance for API platform login and verification flows.
2) Create (or select) an Organization and a Project
The OpenAI API platform supports Projects, which let you separate work by client, product, or environment (e.g., "Client-A", "Internal Tools", "Production", "Staging"). Projects also let you scope API keys and manage permissions at a more granular level.
- Use one project per client/product to keep usage and keys separated.
- Use separate projects for staging vs production to reduce blast radius if something leaks.
- Invite teammates properly instead of sharing a single key (sharing keys is not supported).
[Image: Screenshot of the Projects dropdown and a Project settings page (showing "API Keys" and "Limits").]
Billing: Add Credits (Top Up) and Control Spending
How prepaid billing works
Most new API accounts use prepaid billing: you purchase credits upfront and your API usage deducts from that balance. Prepaid billing has a minimum purchase amount, supports auto-recharge, and credits expire after a fixed period.
- Minimum credit purchase exists (OpenAI documents a $5 minimum for prepaid billing).
- Auto-recharge can top up your balance automatically when it falls below a threshold.
- Credits expire after 1 year and are non-refundable (per OpenAI's prepaid billing details).
How to add credits ("recharge" your balance)
- Open the Billing portal from your API platform settings/billing area.
- Click "Add to balance" to purchase additional prepaid credits.
- Confirm your purchase and verify the balance updates in your billing dashboard.
OpenAI explicitly references the "Add to balance" flow for purchasing additional credits.
Billing gotcha: delays can happen
OpenAI notes there can be a delay in cutting off access after credits are consumed. This can show up as a negative credit balance that gets deducted from your next credit purchase. Build your own safety rails (alerts + monitoring) and don't assume a perfect "hard stop."
Budgets and limits: what actually protects you?
You can set budget controls, but it's important to understand what's enforced vs what's alert-only:
| Control | Where | What it does |
|---|---|---|
| Organization monthly budget | Billing settings | OpenAI states requests may stop after the budget is reached, but there may be delays and you're responsible for overage. |
| Project monthly budget | Project "Limits" | Described as a soft threshold for budget alerts; requests continue to be processed (use it for monitoring and notifications). |
| Email notification thresholds | Billing / limits | Get alerted when you cross spending thresholds so you can react quickly. |
Create Your API Key (Project-Scoped) the Right Way
3) Generate a key inside your Project
OpenAI recommends creating an API key in the dashboard, then storing it securely and exporting it as an environment variable for your dev environment.
- Open Organization settings in the API platform.
- Select your Project (e.g., "Client-A / Production").
- Go to "API Keys" and click
+ Create new secret key. - Complete phone verification if this is your first key on the API platform.
- Copy the key immediately and store it in your secret storage workflow (next section).
Choose permissions (don't default to "everything" unless you must)
OpenAI Projects support multiple permission levels for keys, including restricted configurations. That means you can intentionally limit what a key can do.
- All — full permissions (default).
- Restricted — set permissions per endpoint (None/Read/Write).
- Read Only — read access across endpoints.
Practical recommendation
For production apps, start with the minimum permissions you need, then expand only if something breaks for a legitimate reason. Less power means less damage if a key is compromised.
Service accounts (useful for CI/CD and server-side automation)
If you run deployments, scheduled jobs, or server automations, consider a service account inside the project so the key isn't tied to a single human's laptop or personal access. OpenAI documents service accounts and notes their permissions can be adjusted in project settings.
How to Store the API Key Safely (And Where NOT to Put It)
The non-negotiables
- Never deploy your key in client-side environments (browser JS, mobile apps). Route requests through your backend.
- Never commit your key to a repository (public or private). Use environment variables instead.
- Use unique keys per person — don't share a single key across a team.
Storage options compared
| Where to store the key | Good for | Risk level |
|---|---|---|
| Environment variables | Local dev, servers, containers | ✓ Low (when handled correctly) |
| .env file (NOT committed) | Local development convenience | ✓ Medium (safe only if ignored by Git) |
| Secret managers (Vault, cloud secrets) | Production, teams, audit trails | ✓ Lowest (recommended for serious apps) |
| Frontend JS, public HTML, mobile apps | Nothing (don't do it) | ✗ Critical risk |
Set your key as an environment variable (example)
OpenAI's quickstart documentation shows exporting OPENAI_API_KEY so SDKs can read it automatically.
# macOS / Linux
export OPENAI_API_KEY="your_api_key_here"
# Windows (PowerShell)
setx OPENAI_API_KEY "your_api_key_here"Where you can publish the key (spoiler: nowhere)
You can publish your backend endpoint, not your OpenAI API key. If your app runs in the browser, the browser must call your server (or serverless function), and your server calls OpenAI with the secret key.
- OK to publish: your API URL, public client code, your app UI
- Never publish: OpenAI API keys, even "temporarily"
[Image: Simple diagram showing "Browser → Your Backend → OpenAI API" with the key stored only on the backend.]
Cost and Safety Guardrails You Should Enable on Day One
Use monitoring + alerts (don't rely on hope)
- Set an organization-level monthly budget as a primary safety net (noting delays may apply).
- Set project budgets for alerting (useful per client/project visibility).
- Configure email notification thresholds so you find out quickly when spend ramps up.
- Consider prepaid + auto-recharge carefully: auto-recharge is convenient, but it can also keep a bug-funded fire burning longer if you don't have alerts.
Rotate keys and separate environments
Use separate keys for development, staging, and production. If one environment leaks, you can revoke that key without taking everything down. Projects and project-scoped keys make this separation much cleaner.
If Your API Key Leaks: What to Do Immediately
- Revoke the key in the API platform (Project → API Keys).
- Create a new key with minimal permissions.
- Search your repos and deployment logs for the leaked value (and purge it from history if needed).
- Review usage and billing for unexpected spikes and set tighter alerts/budgets.
Final Thoughts
The OpenAI API is a powerful building block for automations, assistants, and internal tools—especially when you structure your work into projects, fund usage predictably with prepaid billing, and treat API keys like nuclear launch codes (polite, boring, and extremely secure). If you build with these guardrails from day one, you'll move faster later—without the "why did my bill explode?" subplot.
Copy/paste checklist (the essentials)
- Create a dedicated Project per client/product.
- Enable prepaid credits (and understand expiry + auto-recharge).
- Create a project-scoped key with minimal permissions.
- Store the key in environment variables or a secret manager—never in frontend code or Git.
- Set budgets + alerts and monitor usage regularly.
Official Sources
OpenAI documentation links referenced in this guide:
- Developer quickstart (creating/exporting an API key).
- What is prepaid billing? (minimums, auto-recharge, expiry).
- How to add credits ("Add to balance") + delayed billing note.
- Best practices for API key safety.
- Projects: API keys, permissions, budgets.
- API pricing + budget guidance.
- Phone verification requirement for first API key.
- Billing settings: ChatGPT vs API platform.