How to Get an OpenAI API Key (Safely)
Create an OpenAI API key in 5 steps — project-scoped, restricted, with a usage limit. Ringtail mints the scoped key from OpenAI's official API, value-free.

Rocco grabbed the OpenAI key, tied it to one project, capped the spend, and left the billing page nervous.

🦝 Rocco: a key with no spending cap is a key that can ruin your month. cap it.
To get an OpenAI API key, sign in at platform.openai.com, open API keys under your project, click Create new secret key, assign it to a project, set Restricted permissions to only the endpoints you use, name it, and copy the sk-… value once — OpenAI shows it a single time. Then set a usage limit on the project's billing. Below is the full flow, the safety choices that matter, and how Ringtail mints the scoped key from OpenAI's official API without exposing it to your coding agent.
Where do you create an OpenAI API key?
You create it at platform.openai.com under API keys, within a project. OpenAI organizes keys by project so you can isolate an app's usage, permissions, and spend from everything else in your account. Pick or create the right project first — the key inherits that project's limits and rate caps.
Every key is listed with its name, project, permissions, and last-used date. Name each key for where it runs (acme-app-prod) so a leaked key traces back to one deployment you can revoke without touching the others.
What are the steps to create the key?
Five steps:
- Sign in at platform.openai.com and select or create the project the key belongs to.
- Open API keys and click Create new secret key.
- Give it a descriptive name and confirm the Project assignment.
- Set Permissions to Restricted and enable only the endpoints your app calls (for example,
Model capabilitiesfor chat/completions). Avoid All unless you truly need every endpoint. - Click Create secret key, then copy the
sk-…value immediately — OpenAI displays it once and never again.
Store it as OPENAI_API_KEY in .env.local, never committed. If a key ever lands in a git commit, treat it as compromised and rotate — stop committing secrets to git covers scrubbing history.
How do you scope an OpenAI key safely?
Three levers make an OpenAI key safe: project isolation, restricted permissions, and a usage limit.
- Project-scoped: a key tied to one project can only spend that project's budget and hit its models. A leak is contained to one project.
- Restricted permissions: choose Restricted and enable only the endpoint categories you use. A key that can only call model endpoints can't manage your account or fine-tunes.
- Usage limit: set a monthly hard cap under the project's Limits. This is the one that saves you from a leaked key running up a bill — a spending cap turns a leak from a catastrophe into a line item.
That combination is least-privilege API key provisioning applied to a spend-metered API: narrow endpoints, narrow project, and a ceiling on the damage.

🦝 Rocco: restricted permissions, one project, a spending cap. three walls between a leak and your credit card.
How do you use and rotate the key?
Read it from the environment — never inline the sk-… string:
export OPENAI_API_KEY="sk-..."
import OpenAI from "openai";
const client = new OpenAI(); // reads process.env.OPENAI_API_KEY
const res = await client.chat.completions.create({
model: "gpt-4o-mini",
messages: [{ role: "user", content: "ping" }],
});
When you rotate, create the new key first, deploy it, then revoke the old one — never revoke before the replacement is live, or you'll 401 production. That make-before-break order is the whole idea behind rotating API keys without breaking production.
How does Ringtail create the key for you?
Once you've connected your OpenAI account to Ringtail one time, Ringtail mints the scoped key for you by driving OpenAI's official API — assigning it to the right project with restricted permissions — so you never hand-copy an sk-… string again. Ringtail reads OPENAI_API_KEY from your .env.example, calls OpenAI's official API to create a project-scoped key, validates it with a cheap test call, and writes the value into .env.local and your Infisical.
It's value-free: the sk-… value is returned by OpenAI's API straight into your local files. Your coding agent decides which project and permissions to request, but never sees the secret string. Install it once:
curl -fsSL ringtail.sh | sh
ringtail up
Ringtail uses official provider APIs only — never a browser bot with your OpenAI login. For provisioning every key in a project this way, see how to stop juggling 15 API keys on every new project.
FAQ
Where do I get my OpenAI API key?
Sign in at platform.openai.com, select the project the key belongs to, open API keys, and click Create new secret key. OpenAI shows the full sk-… value only once, at creation — after that the list shows the name, project, and last-used date but never the secret again. If you lose the value, revoke that key and create a new one.
How do I make an OpenAI key that can't run up a huge bill?
Assign the key to a single project, set its Permissions to Restricted with only the endpoints you use, and set a monthly usage limit under the project's Limits. The usage limit is the key safeguard: even if the key leaks, spend is capped at your ceiling instead of running unbounded. Project isolation and restricted permissions further shrink what a leaked key can reach.
What are restricted permissions on an OpenAI key?
Restricted permissions let you enable only specific endpoint categories on a key — for example, model capabilities for chat and completions — instead of granting access to your whole account. A restricted key that can only call model endpoints can't manage billing, fine-tunes, or other account resources, so a leak has a small blast radius. Choose Restricted over All unless your app genuinely needs every endpoint.
Can Ringtail create an OpenAI key without me copying it by hand?
Yes. After you connect your OpenAI account to Ringtail once, Ringtail calls OpenAI's official API to create a project-scoped, restricted key for each project, validates it, and writes it to .env.local and Infisical — value-free, so the key never reaches your coding agent. It uses the official API only, never browser automation.
